This is sorta what the crit header is for. You would set some value like "use mld-dsa when present", and then even an es256 would fail to verify unless the verifier decided to ignore this critical information.
You could also register a hybrid signature scheme that explicitly allowed verifying only 1 component, but required both to be present. crit header seems like a better solution for PQ migration though. OS On Mon, Dec 30, 2024, 12:23 PM Michael Richardson <[email protected]> wrote: > > lgl island-resort.com <[email protected]> wrote: > > There is RFC 9338 for counter signatures. Your use case is not listed > > as one that RFC 9338 addresses. Maybe RFC 9338 can be used if you > sign > > with the strongest signature first, then counter sign with the next > > weakest and so on. > > So the attacker can remove the weaker ones, unwrapping things essentially. > It implies a partial ordering on algorithm strength, and the assumption > that > the "stronger" (assumed by me quantum-safe) ones are not defeated by > something else. > > It seems to me that an inner attribute is needed to signal what algorithms > the signer expects to be used. > > > -- > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > >
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
