[TLS] Re: Composite ML-DSA

Filippo Valsorda <filippo@ml.filippo.io> Wed, 15 April 2026 12:45 UTC

Feedback-ID: i2e91459c:Fastmail
MIME-Version: 1.0
Date: Wed, 15 Apr 2026 14:43:19 +0200
From: Filippo Valsorda <filippo@ml.filippo.io>
To: tirumal reddy <kondtir@gmail.com>
Message-Id: <d69ba150-0257-4e64-9abb-9229d03a03a6@app.fastmail.com>
In-Reply-To: <CAFpG3gcC+UfO7E=ADGhwr2En5PwipZiq_r6_RdqvmT-5nnh2jw@mail.gmail.com>
References: <16CF0FDA-7263-461A-9F2B-D37DBEAF5DD9@sn3rd.com> <25c8d414-e4c8-455b-bd64-28132615ba75@cs.tcd.ie> <68f49a81-dd2c-4bea-896a-87da3e6aff68@tu-dresden.de> <CAMjbhoWwvfkfScpbf4-5PBzk__qb+6M4ZzAOba64kk9aXBba5g@mail.gmail.com> <d47a34ab-7fb9-4687-84aa-a5fa6bcf6a6c@tu-dresden.de> <2971d01a-89e3-43d3-a01d-b9c17b178763@amongbytes.com> <692bb582-ab7e-4d6b-aa75-ac5d93228bb2@tu-dresden.de> <DS4PPFA08475C7DBE27468E40C672197481C1242@DS4PPFA08475C7D.namprd11.prod.outlook.com> <LV0PR21MB6623B48B1F3A05D745F5A79D8C242@LV0PR21MB6623.namprd21.prod.outlook.com> <ad0svakv_WUM3btz@chardros.imrryr.org> <CAF8qwaBU_YHWX2MsWeeaOJ8sutR1wMozvbiTJF5kyvTE8YjWWA@mail.gmail.com> <CACsn0c=GDta824UF7uJ3nw_4U_rT=XhYOGHRemMWa+2AdbsiAg@mail.gmail.com> <3a16c7c4-345e-48ce-af70-a3bf503c8caf@app.fastmail.com> <CACf5n7_0hdeHJXXucva9pb=+pjhcgveHRpjA8XAcXB3LsYUvaw@mail.gmail.com> <CAFpG3gcC+UfO7E=ADGhwr2En5PwipZiq_r6_RdqvmT-5nnh2jw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="5494ba811c7788ea8feadb446b8960e383f12d52"
Message-ID-Hash: 2OCISAZLOP357WKF6CIEPKLSRT5ZFWQ7
CC: "<tls@ietf.org>" <tls@ietf.org>
Precedence: list
Subject: [TLS] Re: Composite ML-DSA
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oh3jmmkHzHdp1hk4R4M9QjkmvBk>

2026-04-15 07:45 GMT+02:00 tirumal reddy <kondtir@gmail.com>:
> Could you elaborate on the reasons behind this position? Understanding the specific objections would help us address them in the draft or in the WG discussion.  

I think hybrid authentication is firmly on the wrong side of the complexity / benefit tradeoff.

The benefit is a little lower than hybrid key exchange due to the lack of store-now-decrypt-later risk [0], but that's not the interesting side of the tradeoff.

The complexity cost is vastly higher than hybrid key exchange for two reasons:
 1. Composite keys leak all over the API and application/configuration layer. Libraries need to define structures and types for composite public and private keys. Their format needs to be standardized. Web servers and system administration tools need to support these formats. OIDs need to propagate from the TLS stack through the X.509 one. Deploying ephemeral hybrid key exchange required none of this: it was a self-contained, fully abstracted change in a single piece of software.
 2. The mechanism they fit into, X.509 authentication, is already way more complex than key exchange, and more prone to mistakes. Just last week WolfSSL disclosed a vulnerability (CVE-2026-5194) that let _anyone forge certificates_. It's described as having to do with hash lengths, but one of the root causes is incorrectly handling a signature algorithm with pre-hashing (ECDSA) and one without (Ed25519 or ML-DSA), which led—along with another bug in matching issuer/child OIDs—to checking an ECDSA signature over an empty hash if the leaf claimed an Ed25519 signature. In hindsight, the Ed25519 design of taking a message instead of a hash was a mistake [1]: it mitigated no collision attacks against hashes, and contributed to at least one critical auth bypass. Preventing those *is the whole job*. Now it's just "what if lattices are broken" instead of "what if collision resistance is broken" and composite signature types introduce significantly more complexity than no-pre-hashing signatures to mitigate that hypothetical threat.
There's a reason the immediate chorus of "hell no" came from (most of) the implementers.

Overall, I think composite signatures are a net negative, will hurt the ecosystem, and should not be implemented. But I also don't believe in the IETF being a gatekeeper for implementing/deploying things, so I have no opinions on what does and doesn't become an RFC. (In either direction: I don't care if a thing we implement is not an RFC, and I don't care if a thing we don't implement is an RFC.)

[0]: It's also late in the game. Composite signatures don't exist for deployed values of existing. Maybe if they existed two years ago, they could have provided more benefit. Maybe. But they didn't, and I think they didn't in part because of how much more complex they are. Now there's significantly less uncertainty to hedge.

[1]: The right design for both Ed25519 and ML-DSA would have been to pick *one* hash, and define the signature algorithm as taking a digest of that type. There was even an obvious answer: SHA-512 for Ed25519 and SHA-3 for ML-DSA. One mode, easily enforced fixed size input, easy to test, compatible with hardware interfaces, fits the existing pre-hashed APIs. Alas, that ship has sailed.

> -Tiru
> 
> On Tue, 14 Apr 2026 at 04:33, David Adrian <davadria@umich.edu> wrote:
>> I am perfectly fine defining composite certificates however, I will go further than other David and say that Chrome cannot, should not, must not, and will not implement composite certificates in TLS. 
>> 
>> On Mon, Apr 13, 2026 at 3:51 PM Filippo Valsorda <filippo@ml.filippo.io> wrote:
>>> __
>>> We have no plans to implement composite certificates either.
>>> 
>>> 2026-04-14 00:20 GMT+02:00 Watson Ladd <watsonbladd@gmail.com>:
>>>> I do not think composite certs make sense for TLS.
>>>> 
>>>> On Mon, Apr 13, 2026 at 12:33 PM David Benjamin <davidben@chromium.org> wrote:
>>>> >
>>>> > On Mon, Apr 13, 2026 at 10:51 AM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>>>> >>
>>>> >> On Mon, Apr 13, 2026 at 04:30:34PM +0000, Andrei Popov wrote:
>>>> >>
>>>> >> > Just to weigh in on this: I would support adoption of
>>>> >> > draft-reddy-tls-composite-mldsa. There is customer demand for
>>>> >> > composite certs, and I would like to get these implemented in the
>>>> >> > Windows TLS stack.
>>>> >>
>>>> >> I don't know what sort of interoperability you are expecting with these,
>>>> >> I am strongly inclined to NOT implement any of the composite signature
>>>> >> algorithms, at least not in TLS.  It may be harder to fend off their
>>>> >> adoption in CMS, but ideally sit that out as well, until we either have
>>>> >> CRQCs and hybrids are pointless, or we don't have CRQCs and know why
>>>> >> we're never going to have them.
>>>> >
>>>> >
>>>> > We're also not planning to implement composite ML-DSA in TLS.
>>>> >
>>>> > David
>>>> > _______________________________________________
>>>> > TLS mailing list -- tls@ietf.org
>>>> > To unsubscribe send an email to tls-leave@ietf.org
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Astra mortemque praestare gradatim
>>>> 
>>>> _______________________________________________
>>>> TLS mailing list -- tls@ietf.org
>>>> To unsubscribe send an email to tls-leave@ietf.org
>>>> 
>>> 
>>> _______________________________________________
>>> TLS mailing list -- tls@ietf.org
>>> To unsubscribe send an email to tls-leave@ietf.org
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org

[TLS] Re: Composite ML-DSA John Mattsson
[TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
[TLS] Working Group Last Call for Use of ML-DSA i… Sean Turner
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Stephen Farrell
[TLS] Re: [EXTERNAL] Working Group Last Call for … Andrei Popov
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Quynh Dang
[TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
[TLS] Re: Working Group Last Call for Use of ML-D… Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Ilari Liusvaara
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Jan Schaumann
[TLS] Re: Working Group Last Call for Use of ML-D… Corey Bonnell
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
[TLS] Re: Working Group Last Call for Use of ML-D… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Marc Penninga
[TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
[TLS] Re: Working Group Last Call for Use of ML-D… Martin Thomson
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
[TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Joshua
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Andrei Popov
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
[TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
[TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
[TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
[TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Composite ML-DSA tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA tirumal reddy
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
[TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
[TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
[TLS] Re: Composite ML-DSA Sean Turner
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Filippo Valsorda
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Tim Hudson
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Composite ML-DSA David Benjamin
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
[TLS] Re: Working Group Last Call for Use of ML-D… Joshua
[TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Salz, Rich
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
[TLS] Re: Working Group Last Call for Use of ML-D… Thom Wiggers
[TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
[TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Falko Strenzke
[TLS] Re: Composite ML-DSA Viktor Dukhovni
[TLS] Re: Composite ML-DSA Andrei Popov
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Nico Williams
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Christopher Patton
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Yaroslav Rosomakho
[TLS] Re: Composite ML-DSA Simon Josefsson
[TLS] Re: Composite ML-DSA Simon Josefsson
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Filippo Valsorda
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Working Group Last Call for Use of ML-D… Dennis Jackson
[TLS] Re: Composite ML-DSA Dennis Jackson
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
[TLS] Re: Working Group Last Call for Use of ML-D… Peter C
[TLS] Re: Composite ML-DSA Nadim Kobeissi
[TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
[TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
[TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Composite ML-DSA Eric Rescorla
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: Composite ML-DSA Nico Williams
[TLS] Re: Composite ML-DSA tim.beckmann
[TLS] Re: Composite ML-DSA Sophie Schmieg
[TLS] Re: Composite ML-DSA Peter Gutmann
[TLS] Re: Working Group Last Call for Use of ML-D… Yaakov Stein
[TLS] Re: Composite ML-DSA Mike Ounsworth
[TLS] Re: Composite ML-DSA Watson Ladd
[TLS] Re: Composite ML-DSA Mike Ounsworth
[TLS] Re: Composite ML-DSA Daniel Van Geest
[TLS] Re: [EXTERNAL] Re: Composite ML-DSA John Gray
[TLS] Re: Composite ML-DSA Falko Strenzke