[Rpm-maint] [rpm-software-management/rpm] Add new signature headers for Post Quantum Signatures (Issue #3363)
Justus Winter
notifications at github.com
Tue Oct 8 16:15:44 UTC 2024
The OpenPGP working group is working on [draft-openpgp-pqc](https://github.com/openpgp-pqc/draft-openpgp-pqc). Currently, the focus is on FIPS compliance, and harmonizing KEM combiners and algorithm selection across different protocols to amortize the implementation and validation efforts across different software components.
It is true that PQC in OpenPGP will depend on a new wire format, RFC 9580 aka "v6", but Sequoia is very robust in that regard. If you go with having two OpenPGP signatures, one classical and one PQ (ML-DSA as composite, or SLH-DSA), current versions of Sequoia can gracefully ignore the PQ signature. We'd be happy to assist you with creating plausible mockups of v6 PQ signatures for RPMs test suite.
Thinking about the timeline, our [v6 implementation](https://gitlab.com/sequoia-pgp/sequoia/-/tree/crypto-refresh?ref_type=heads) is [almost complete](https://sequoia-pgp.gitlab.io/openpgp-interoperability-test-suite/results.html?impls=1194), and we plan to merge it later this year. I don't expect the work on draft-openpgp-pqc to conclude before that.
Adding PQC support on top is relatively straight forward, as from an OpenPGP perspective it only adds algorithms. The challenge here will be to find suitable cryptographic libraries to supplement our current cryptographic backends with, as I expect that support in the mainstream cryptographic libraries will be a little behind.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3363#issuecomment-2400303151
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3363/2400303151 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241008/f91c0dbb/attachment.html>
More information about the Rpm-maint
mailing list