Minutes of September 8th, 2025 meeting

[johngray-dev]

Present: Nicola Tuveria, PetrMuzikant, Markku-Julhani Saarinen, Daniel Van Geest, Alexander Railean, Corey Bonnell, Max Pala, Carl Wallace, JP Fiset, Alex Zaslavsky, John Gray, Mike Ounsworth,

Open Questions and status:

• Carl asked about the status of composites:

  • Mike and John Answered: Proof for composite KEM is in the works, Composite signatures should have a new version later in September and will ask for WGLC.

• Mike Asked where this project is going, and got a number of responses:

  • People are still submitting artifacts, repository is valuable
  • HQC and Falcon (FN-DSA) are coming and there is interop work to do there
  • CMP and CMS and higher level protocol stuff needs interoperability testing
  • Chameleon or other PQ transition mechanisms like Discovery are still valuable to test with
  • We can point to our past success and implementation interoperability, test vectors and results matrix are valuable to the industry
  • This is the place for hybrids, NIST doesn't have test vectors for those
  • NIST takes forever to get documents out, this group allows us to test implementations and give feedback to the standards

• John asked if anyone knows about anyone using HashML-DSA (since it is not allowed in certificates). We test them in certificates in this project, but they are technically not allowed.

  • Markku mentioned that he has seen it used in secure boot and firmware updates, and most people have heard that Microsoft is interested in HashML-DSA.

Pull Requests:

• Closed pull request Create android.yml #232 as we haven't heard from the author, it was not marked as completed, and we aren't sure what the author was trying to accomplish
• Acvp auto testing #129 is still something we would like to get working. NIST has offered to help if needed.
  • Action: John to reach out to Mike Bartock / Chris Celi at NIST to ask if anyone from their end wants to help us

Round Table:
John Gray - Working on getting composites through WGLC as well as composite implementations and KEM RecipientInfo implementations. Also joined the OASIS TC PKCS11 group to help with PCKS11 3.3 and hopefully help get composites into a future specification.

Alex Zaslavsky - ML-DSA Hybrids, still working on implementing composite sigantures

JP Fiset - submitted artifacts - Working on another round of FIPS, composites implementation being worked on.

Petr Muzikant - Interested in hearing how things are progressing. He is helping to write the Estonian PQC roadmap. Working on crypto agility in Go. Finished crypto agility in Go https://github.com/ISRI-PQC/agiligo

Carl Wallace - Will get back to responses, and will have updated artifacts before next IETF

Markku - Just track the progress, SLH-DSA in LibOQS. Provided some interesting updates:

• HQC new spec and implementation being worked on, still far from a standard
• FN-DSA - Internally approved at NIST. It will be fairly different, especially for hardware vendors. What kind of instructions do we need for this algorithm. Still has 666 byte signatures which is good.

Mike Ounsworth - No other updates, if there is work to do, he can do it.

Felipe - Work on openSSL implementation for composite signatures, recently got a new error message about auto generation. More information than last IETF. Not dealing much with auto generation.

Corey Bonnell - Once composite has settled down a bit more, he will work on composite signatures.

Max - Working on composite KEM and signature. In role for X9 moving forward with SDK, in the UAT environment as well.

Nicola - working on submitting artifacts for RUST provider for openSSL, both pure and composites. Just had a few delays.

Other Interesting Information:
Markku mentioned he is working on standards for Europe, and is interested if composites are the leading standard. Mike mentioned an over of TLS session at IETF 123 (updating TLS or using composite signatures). With the complexity of using dual certs for authentication in TLS, composite signatures seemed like the clear choice.

Max mentioned the X9 PKI - This week they are going to create the ML-DSA Roots! Signing the roots is happening this week and is separate from the internet PKI. This may be the first PKI on a large scale to use ML-DSA! In terms of policy, it is one of the heaviest. He also mentioned ISO7816 specifying protocols for transmitting - Older version of the certificates.