XMSS
Christian Weisgerber
naddy at mips.inka.de
Sat Sep 2 06:31:39 AEST 2023
Chris Rapier:
> I know XMSS support has been experimental for quite some time. Is there any
> push to change the status? Just curious more than anything else.
I don't expect XMSS to ever be enabled by default. Better PQC
signature algorithms are in the pipeline, e.g., Google and ETH
recently announced a hybrid ECDSA/Dilithium implementation small
enough to fit on a FIDO2 security key.
https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.h
tml
XMSS has properties that match up poorly with typical SSH usage:
* Private keys can only sign a limited number of messages.
* The private key changes with every signature generation.
The key must be reliably updated since reusing an old key breaks
security.
That may be acceptable if you sign a file using an SSH key, but it
won't fly with sshd.
--
Christian "naddy" Weisgerber naddy at mips.inka.de
More information about the openssh-unix-dev
mailing list