On Fri, Feb 27, 2026 at 07:05:38AM -0800, [email protected] wrote: > Internet-Draft draft-ietf-jose-pq-composite-sigs-01.txt is now available. It > is a work item of the Javascript Object Signing and Encryption (JOSE) WG of > the IETF. > > Title: PQ/T Hybrid Composite Signatures for JOSE and COSE > Authors: Lucas Prabel > Sun Shuzhou > John Gray > Tirumaleswar Reddy > Name: draft-ietf-jose-pq-composite-sigs-01.txt > Pages: 29 > Dates: 2026-02-27
Some comments: - There are some overlong lines, making side-by-side diff difficult to read. - "Point compression for the ECDSA or EdDSA component is not performed for the AKP JSON Web Key Type but can be performed for the AKP COSE Key Type." For ECDSA, performing the optional point compression is not compatible with using SerializePublicKey()/DeserializePublicKey(), since those functions always use the uncompressed form. And for EdDSA, optional point compression is meaningless, because EdDSA always performs point compression. All publically computable transforms are trivially secure. - Using SerializeSignatureValue()/DeserializeSignatureValue() uses ASN.1 for ECDSA signatures, which is undesirable (especially in COSE), as it adds unnecessary complexity (in a very sensitive place). All publically computable transforms are trivially secure. - Also, SerializePrivateKey()/DeserializePrivateKey() uses ASN.1 for ECDSA keys, which is undesirable (especially in COSE). This is also publically computable as transform, even if it is done on private data. - A security concern is that implementing these hybrids may interfere with removing unsafe signature algorithms when Q-Day arrives. It is very difficult to ensure insecure signatures are not used without completely ripping out the implementation. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
