XMSS
9 views
Skip to first unread message
Chris Rapier
Sep 1, 2023, 1:10:48 PM9/1/23
to openssh-...@mindrot.org
Hey there,
I know XMSS support has been experimental for quite some time. Is there
any push to change the status? Just curious more than anything else.
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
I know XMSS support has been experimental for quite some time. Is there
any push to change the status? Just curious more than anything else.
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Christian Weisgerber
Sep 1, 2023, 4:38:15 PM9/1/23
to openssh-...@mindrot.org
Chris Rapier:
> I know XMSS support has been experimental for quite some time. Is there any
> push to change the status? Just curious more than anything else.
I don't expect XMSS to ever be enabled by default. Better PQC
signature algorithms are in the pipeline, e.g., Google and ETH
recently announced a hybrid ECDSA/Dilithium implementation small
enough to fit on a FIDO2 security key.
https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.h
tml
XMSS has properties that match up poorly with typical SSH usage:
* Private keys can only sign a limited number of messages.
* The private key changes with every signature generation.
The key must be reliably updated since reusing an old key breaks
security.
That may be acceptable if you sign a file using an SSH key, but it
won't fly with sshd.
--
Christian "naddy" Weisgerber na...@mips.inka.de
> I know XMSS support has been experimental for quite some time. Is there any
> push to change the status? Just curious more than anything else.
signature algorithms are in the pipeline, e.g., Google and ETH
recently announced a hybrid ECDSA/Dilithium implementation small
enough to fit on a FIDO2 security key.
https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.h
tml
XMSS has properties that match up poorly with typical SSH usage:
* Private keys can only sign a limited number of messages.
* The private key changes with every signature generation.
The key must be reliably updated since reusing an old key breaks
security.
That may be acceptable if you sign a file using an SSH key, but it
won't fly with sshd.
--
Christian "naddy" Weisgerber na...@mips.inka.de
Reply all
Reply to author
Forward
0 new messages