Re: Excessive Optionality in Cryptography Anti-Pattern (was: Re: JSONWebSignature2020 vs JcsEd25519Signature2022) from Christopher Allen on 2023-03-11 (public-credentials@w3.org from March 2023)

From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Fri, 10 Mar 2023 18:12:38 -0800
To: Orie Steele <orie@transmute.industries>
Cc: Ian G <iang@iang.org>, Manu Sporny <msporny@digitalbazaar.com>, Markus Sabadello <markus@danubetech.com>, Shannon Appelcline <shannon.appelcline@gmail.com>, Tomislav Markovski <tomislav@trinsic.id>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>, silverpill@firemail.cc
Message-ID: <CACrqygAik6SZF4a0fNym9gsmMbQN6_5fjX3djnqgOmJDerJfzQ@mail.gmail.com>

On Fri, Mar 10, 2023 at 5:19 PM Orie Steele <orie@transmute.industries>
wrote:

> What happens when SHA256 gets broken like Md5?
>

My take on it is that we’ll have plenty of warning, and we’ll design now
for an upgrade (in CBOR a reserved tag) is case sha256 is broken.

Right now that seems unlikely, even with Quantum computing. But we’ll be
prepared.

What happens when an embedded system already supports EdDSA which requires
> SHA512, and has no room for another hash function?
>

This is where have one or two ready can be useful. We are thinking of
having one at base, one harder and very different in reserve, and a 3rd
that our best guess for conservative quantum resistance.

More current impact example is we are using this year the venerable but
mature Shamir for our SSKR based Collaborative Seed Recovery, but Shamir
has inherent limitations. However, we have designed it such that we can
drop in later a VSS, which has better properties for our purposes. We’ll be
well prepared to make a good choice as that matures.

In both cases, at most we’ll have two choices for a transitional period.

— Christopher Allen

Received on Saturday, 11 March 2023 02:13:02 UTC