I'm against adoption. - A first step should be to discuss if JOSE needs hybrid signatures and if yes, to discuss what kind of hybrid signatures. This has not been done at all.
- If JOSE wants to do hybrid signatures, I think JOSE should avoid exactly the kind of hybrids specified in this draft. This looks like an experiment from 2019, not something that should be standardized in 2027. - One argument why this is needed has been that Europe recommends hybrids, but the EU defines a hybrid as "A combination of a post-quantum algorithm and a quantum-vulnerable algorithm for the same mechanism, such that the security is as high as the higher of the ingredients.". The algorithms in this draft are not hybrids according to that definition as they break the important SUF-CMA property of standalone ML-DSA. https://ec.europa.eu/newsroom/dae/redirection/document/117507 Cheers, John
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
