Hi, Simo, Great. We have agreed with each other on some points, I think.
Please see my comments inline below. Cheers, Guilin -----Original Message----- From: Simo Sorce <[email protected]> Sent: Sunday, 19 October 2025 4:14 am To: Wang Guilin <[email protected]>; Lucas Prabel <[email protected]>; Orie <[email protected]>; John Mattsson <[email protected]> Cc: [email protected]; [email protected]; cose <[email protected]>; Wang Guilin <[email protected]> Subject: Re: [jose] Re: Call for Adoption request: draft-prabel-jose-pq-composite-sigs-04 On Sat, 2025-10-18 at 06:20 +0000, Wang Guilin wrote: > The point is: Customers (and also professionals, like experts here) do not > exactly know when CRQC will be available. So, there is a long period up to > years for such uncertainty. For example, if this uncertain period is > 2030-2035, what customers should do in 2030 or 2031? The fact is that with signature as used in JOSE there is generally no problem until a CRQC is available, and even then it needs to be fast for it to be a problem for authentication schemes. So there is no need to rush to deploy QC until the threat is imminent. My answer would be: wait a couple of years until you are confident your PQ algorithm of choice is solid and then migrate to that. ---------------- Guilin's Comments: For scenarios of using JOSE/COSE, myself is not sure how long PQ migration be done even just for fast user/message authentication in each scenario. Hope experts and chairs could share your insights. However, IMO, maybe we cannot simply say "So there is no need to rush to deploy QC until the threat is imminent". A few reasons I can imagine: - 1) PKI certificates may be involved. So, when constructing their whole PIK systems, should customers consider using PQ (hybrid or pure) signatures now or soon, by supposing that CRQC may arrive in reality around 2035? In this sense, I am happy to see that Lamps has made great progress for progressing PQ certificates and CMSs (up to the end of 2025, about 12 RFCs will be released). Internally, we have reminded our colleagues to update our pre-installed PKI systems with PQ capability. - 2) The chain of standardization in IETF, and then further in related vertical sectors, and then regulation update and deployment in real application and businesses, is very long. So, doing such a migration is time consuming. In this aspect, even IETF have finished all main stream PQ migration standardization by 2025, many vertical sectors and businesses maybe still cannot complete PQ migration by 2035. 5 or 10 years are actually very short for such cryptographical updates from the ground floor. On the other hands, some sectors may aim to start their PQ migration or even offer commercial PQ services certification much quicker. For example, IEEE 802.11 is planning to finish PQ migration standard around the end of 2026, and WFA is planning to issue PQ certification in 2026Q1. IETF standardization and protocols are normally referenced by these standardization bodies, thought I am not sure if JOSE/COSE are used in WiFI or 3GPP. So, depending on the concrete scenarios, "wait a couple of years until you are confident your PQ algorithm of choice is solid and then migrate to that" may be right or may be wrong. At least for US NSS providers, if JOSE/COSE are related, waiting a couple of years seems in possible, as they are required to complete PQ migration by 2033. ---------------- Encryption is an entirely different thing, you need to move a lot earlier because of "harvest now, decrypt later" therefore hybrid KEMs are very important and should be deployed asap. Different threats require different answers and different timing. ---------------- Guilin's Comments: Full agree with you on these two points. ---------------- Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
