draft-atkins-suit-cose-walnutdsa has been presented for publication as
an Informational RFC on the Independent Submissions Stream.
The document presents a way to use the Walnut Digital Signature
Algorithm within the COSE syntax. The document makes it very clear that
Walnut has not been endorsed by the IETF, and contains (section 5.2) an
explanation of the security considerations specific to Walnut. Further,
the document observes that earlier cryptanalysis identified potential
issues that have the authors believe have been addressed in more recent
versions of Walnut (this is not to say that the algorithm would now pass
cryptanalysis review, but does say that issues found earlier have resulted
in improvements to the algorithm). The document also advises users to
make their own judgment about the risks involved.
There has been considerable discussion about this document. I solicited
comments from the Designated Experts for the COSE registries, from the
CFRG, and from targetted reviewers. Several commentators were fairly
hostile and pointed to security failings of Walnut and the fact that
NIST had declined to accept Walnut as suitable. The author observed that
these issues were in the past as changes had been made to Walnut. We
specifically strengthened the text in Section 5.2 to highlight the
concerns and indicate what had been done to resolve many of the issues.
Two main concerns were raised by reviewers:
1. "Publishing this will open the doors to many more similar
publications." This is a possible outcome, but it seems unlikely that
there will be "many" additional documents presented for publication.
We certainly haven't seen any others come forward during the year
that this document has been with the ISE. If this event does arise, the
ISE will clearly have to deal with it.
2. "[publishing this sends] a very confusing signal to implementers if
other RFCs describing crypto that aims to be quantum resistant (or
protocols using such) are emitted ahead of those [NIST-approved
algorithms]." This document (in the opinion of the ISE) makes it
clear that WalnutDSA has not been endorsed by the IETF (but the
ISE would be happy to receive suggestions for even more rigorous
text). The document also includes caveats and a pointer to
discussions of concerns with the algorithm (section 5.2) as well as
mitigation for those concerns. However, if the IESG believes that
publication should be held until after one or more specific drafts
have made it to RFC, this is an acceptable response per RFC 5742.
Nevertheless, this document is not about Walnut, but about how Walnut
might be used. It is assumed that users will be aware of the security
analysis (that is referenced) and will take seriously the call for them
to exercise their own judgement. They will weigh their security concerns
against any perceived benefits to using Walnut.
It has also been noted that an RFC is not necessary for codepoint
assignment from the relevant COSE registries. Some are "Expert Review"
and others "Specification Required" and there is a belied in some
quarters that an Internet-Draft is adequate documentation for both
cases. Nevertheless, the author believes that a more stable and
permanent reference is provided by the publication of an RFC and that
that will be helpful to people trying to understand the use of the
codepoints.
In the end, and considering the specific caveats and pointers added to
the document, the ISE considers that publication would not be
detrimental. The document clearly fits within the criteria for
publication within Independent Stream.
The DEs have been consulted about this final version of the document
and have reported no concerns within the specific constraints of their
roll.
Note that the document contains a Trade Mark statement. The author
and the holder of the Trade Marks is aware of the terms of the TLP wrt
use of the marks.