Hi Neil (and thanks Brian), I have started processing your feedback here:
https://github.com/cose-wg/draft-ietf-cose-dilithium/pull/14 Neil, may I add your name (Neil Madden) to the acknowledgements section of this document? I have not yet addressed all your comments, and will leave the issue tracking them open until I can resolve them. In particular your comment on choice of ctx requires some coordination with LAMPS: https://github.com/lamps-wg/dilithium-certificates/issues/24 Thank you for these comments, they are excellent. Regards, OS On Tue, Nov 19, 2024 at 1:33 PM Neil Madden <[email protected]> wrote: > Thanks Brian, I wasn’t aware this was in WGLC. > > I doubt this will see much if any real-world use, because ML-DSA > signatures are so enormous. But I have no objection to it being published. > > > That said, the draft seems *very* underspecified. The definition of the > AKP key type seems to just be by example. There’s no specification of what > fields it contains or what format they take. Presumably the idea is that it > has “pub” and “priv” fields that are arbitrary bytes (base64-encoded for > JWK) and that beyond that the format is determined by the “alg” field, but > the draft doesn’t say any of this. The examples are also truncated (without > saying they are). > > It should then say exactly what “pub” and “priv” contain for ML-DSA at > least! Are they X.509 or what? It appears that the “priv” field contains > only the 32-byte seed, and that a library will need to call KeyGen_internal > to convert that into an actual private key to pass to the sign procedure? > (Which presumably, given the name, might not be exposed by crypto modules?) > > Getting on to the actual signature algorithm, FIPS 204 says that signing > takes a context string. What is this set to for JOSE/COSE? > > What is the format of the signature? Presumably it’s the base64url-encoded > output of the FIPS 204 signing process? > > The test vectors should document what the various fields are (some appear > to be hex, others base64), and maybe the step by step computations. I’m > also not sure an all-zero private key, and reusing the same key for all > algorithms, is necessarily a good way to generate test vectors. > > Are there really no independent security considerations? At the very least > perhaps point out that the public keys and signatures are much larger than > for any other algorithm currently specified. I’d have assumed that was a > concern for COSE. > > I think at the current state of the draft I would not be confident that I > could implement it and be sure of interoperating with anyone. > > — Neil > > On 19 Nov 2024, at 18:14, Brian Campbell <bcampbell= > [email protected]> wrote: > > > Sending to the JOSE list too in hopes of soliciting some informed review > from folks in that WG. As the title suggests "ML-DSA for JOSE and COSE" is > for JOSE as well as COSE. > > > On Tue, Nov 19, 2024 at 9:47 AM Michael Jones <[email protected]> > wrote: > >> Hi all, >> >> >> >> This message starts the Working Group Last Call (WGLC) for >> https://www.ietf.org/archive/id/draft-ietf-cose-dilithium-04.html >> (ML-DSA for JOSE and COSE), as was discussed at IETF 121 in Dublin. The >> WGLC will run for two weeks, ending on Tuesday, December 3, 2024. >> >> >> >> Please review and send any comments or feedback to the working group. >> Even if your feedback is “this is ready for publication”, please let us >> know. >> >> >> >> Thank you, >> >> -- Mike and Ivaylo, COSE >> Chairs >> >> >> _______________________________________________ >> COSE mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
