Address Kris comments about Section B.1 on FIPS #145

[johngray-dev]

From: EntrustCorporation/draft-ounsworth-composite-sigs#145

Address Kris's comments:

ZjQcmQRYFpfptBannerEnd
In the section "B.1 FIPS certification", the draft says:

"algorithm to be [...] considered FIPS-approved even when one of the component algorithms is not"
and then
"overall composite should be considered full strength and thus FIPS-approved"
I think, the "full strength" may be misleading. Also the term is not clearly defined. Hence, it could be understood as "full strength of classical+PQ" and that is opposite to what NIST FAQ [1] says. I.e. let say MLDSA is FIPS-approved in a future, and we create composite with MLDSA-44 + some on-ramp signature that claims level 5. Does it mean the strength of that construct should be considered FIPS-approved with security strength of equal to level 2 or 5?

As this draft is now about creating composite signatures with MLDSA, so do we need B.1? The discussion about FIPS-approved dual signature schemes sounds like a great discussion to have, but in a different place (and ideally on CMUF forum).

My suggestion would be to remove B.1 to avoid spreading potentially misleading information about important topic.

Additional nit:

The abstract says "Composite algorithms are provided which combine ML-DSA with RSA, ECDSA, Ed25519, and Ed448.". Shouldn't it say MLDSA only?

Kris Kwiatkowski
Cryptography Dev

--- Group discussed this and decide to change the following:

change:
overall composite should be considered full strength and thus FIPS-approved"
to
overall composite should be considered at least as strong and thus FIPS-approved"

until FIPS deprecates RSA or EC...

[johngray-dev]

The comment was addressed and the issue has been resolved is -01 version