Raymond, Thank you for the careful read.
All three points land, and in the order you ranked them.
On the fingerprint (Q3):
You are right on both counts. The "128 bits" and the "4 groups of 4 hex chars" in my post contradicted each other; 4 x 4 hex digits is 64 bits, and 64 is what is actually in the spec text. The 128 was a transcription slip in the post. So the real number is worse than I described.
And you are right that the threat model is collision, not second-preimage. The registry is the lookup side: if an attacker can grind two keypairs whose fingerprints collide, they swap identity claims under registry ambiguity, and that is the cheaper attack.
At 64 bits the birthday bound is roughly 2^32, which is grindable on a laptop, exactly as you say. Evil32 and the older OpenPGP short-key-ID confusions are the right precedent. Fix path I am taking back to the working group. First, raise the on-the-wire fingerprint to 128 bits (32 hex digits), so the birthday bound on a registry-grinding adversary is roughly 2^64.
That is a defensible floor against commodity-hardware grinding over the registration window. TIP-ID also binds a Verification Provider attestation to the public key at issuance time, so a successful grind has to clear both the fingerprint match and the VP's identity proof; the fingerprint width is the cryptographic floor, not the entire defence.
Second, display the 128-bit fingerprint as two lines of 16 hex characters, not one compressed line. The original reason for going short was the human-display constraint, and two lines is still a single glance. Open question I would value pushback on: is 128 bits the right floor, or does the registry threat model justify 160 bits (Tor v3 onion-service territory, roughly 2^80 collision resistance, at the cost of a third line on display)?
I am inclined toward 128 as the default with a 160-bit option for institutional registrants, but I want to hear the argument against.
On the archive layer (Q2):
You are right about the category mismatch. SLH-DSA-SHA2-128s is Category 1; the everyday content signature (ML-DSA-65) is Category 3. The intent was for the archive layer to be the conservative floor, so sitting it a category below the content layer is exactly backwards.
The fix is SLH-DSA-SHA2-192s, which preserves the small (-s) sign-once verify-many trade-off and lands the archive layer at Category 3, matching the content layer. The signature size cost is roughly 16 KB instead of 8 KB, which is fine for the archive use case (we are signing the manifest of a publishable artefact, not the artefact itself, and we sign it once).
I will update the spec to SLH-DSA-SHA2-192s before audit.
On the ML-DSA category labels:
Caught. ML-DSA defines Categories 2, 3, and 5 (ML-DSA-44, -65, -87, respectively). The "Cat 1" reference in my post should have been Cat 2. The spec text has the labels right; the list post was the typo.
I will note the correction in the whitepaper changelog when the next revision lands so the public record reads cleanly.
On Q1 framing:
This is the most important part of your reply for the design, and I want to think with you on it rather than respond fast. You are right that the gap between Cat 3 and Cat 5 is not where the real risk lives at a 50-year horizon. If the lattice assumption breaks, Cat 5 buys very little.
The honest hedge is the hash-based fallback, and the question I should be asking is where the boundary between the lattice layer and the hash layer falls. The current design treats the ML-DSA layer as the everyday content path (5 to 50 year verification horizon) and the SLH-DSA layer as the archive path (50 years and above, or sovereign claims: notary attestations, government documents, scientific record). Your framing makes me want to revisit two things before audit. The first is whether anything with a genuine multi-decade verification horizon should default to ML-DSA at all.
The current spec lets a publisher elect to dual-sign with SLH-DSA-192s as a belt-and-suspenders option, but does not require it. A stricter rule would be: any content tagged as part of the institutional or public-record corpus signs with both ML-DSA-65 (for everyday verification cost) and SLH-DSA-192s (for the long-horizon hedge), mandatory not optional.
The second is whether the boundary between the two layers should be content-type-driven (as it is now) or horizon-driven (the publisher declares an intended verification horizon at sign time, and the protocol chooses the primitive). Horizon-driven has the appeal of forcing publishers to think about what they are claiming. It has the cost of giving them a knob they may set wrongly. I would value your read on which boundary is the more defensible one before audit, on or off list.
The dual-sign-by-default rule for institutional content feels like the right floor to me, but I want to test that against your sign-once / verify-many framing more carefully. I will fold all four updates (fingerprint width, fingerprint threat model, SLH-DSA-192s for archive, ML-DSA category corrections) into the next whitepaper revision and post the diff back to the list when it is published.
Thanks again for the time.