[jose] Re: [COSE] WGLC for draft-ietf-cose-dilithium

[Neil Madden]

Thanks Brian, I wasn’t aware this was in WGLC.  I doubt this will see much if any real-world use, because ML-DSA signatures are so enormous. But I have no objection to it being published.    That said, the draft seems *very* underspecified. The definition of the AKP key type seems to just be by example. There’s no specification of what fields it contains or what format they take. Presumably the idea is that it has “pub” and “priv” fields that are arbitrary bytes (base64-encoded for JWK) and that beyond that the format is determined by the “alg” field, but the draft doesn’t say any of this. The examples are also truncated (without saying they are).  It should then say exactly what “pub” and “priv” contain for ML-DSA at least! Are they X.509 or what? It appears that the “priv” field contains only the 32-byte seed, and that a library will need to call KeyGen_internal to convert that into an actual private key to pass to the sign procedure? (Which presumably, given the name, might not be exposed by crypto modules?) Getting on to the actual signature algorithm, FIPS 204 says that signing takes a context string. What is this set to for JOSE/COSE? What is the format of the signature? Presumably it’s the base64url-encoded output of the FIPS 204 signing process? The test vectors should document what the various fields are (some appear to be hex, others base64), and maybe the step by step computations. I’m also not sure an all-zero private key, and reusing the same key for all algorithms, is necessarily a good way to generate test vectors.  Are there really no independent security considerations? At the very least perhaps point out that the public keys and signatures are much larger than for any other algorithm currently specified. I’d have assumed that was a concern for COSE.  I think at the current state of the draft I would not be confident that I could implement it and be sure of interoperating with anyone.  — Neil On 19 Nov 2024, at 18:14, Brian Campbell <bcampbell=40pingidentity....@dmarc.ietf.org> wrote:  Sending to the JOSE list too in hopes of soliciting some informed review from folks in that WG.  As the title suggests "ML-DSA for JOSE and COSE" is for JOSE as well as COSE. On Tue, Nov 19, 2024 at 9:47 AM Michael Jones <michael_b_jo...@hotmail.com> wrote: Hi all,   This message starts the Working Group Last Call (WGLC) for https://www.ietf.org/archive/id/draft-ietf-cose-dilithium-04.html (ML-DSA for JOSE and COSE), as was discussed at IETF 121 in Dublin.  The WGLC will run for two weeks, ending on Tuesday, December 3, 2024.   Please review and send any comments or feedback to the working group.  Even if your feedback is “this is ready for publication”, please let us know.                                                                   Thank you,                                                 -- Mike and Ivaylo, COSE Chairs   _______________________________________________ COSE mailing list -- c...@ietf.org To unsubscribe send an email to cose-le...@ietf.org CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ jose mailing list -- jose@ietf.org To unsubscribe send an email to jose-le...@ietf.org

_______________________________________________
jose mailing list -- jose@ietf.org
To unsubscribe send an email to jose-le...@ietf.org