Chris Rapier: > I know XMSS support has been experimental for quite some time. Is there any > push to change the status? Just curious more than anything else. I don't expect XMSS to ever be enabled by default. Better PQC signature algorithms are in the pipeline, e.g., Google and ETH recently announced a hybrid ECDSA/Dilithium implementation small enough to fit on a FIDO2 security key. https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.h tml XMSS has properties that match up poorly with typical SSH usage: * Private keys can only sign a limited number of messages. * The private key changes with every signature generation. The key must be reliably updated since reusing an old key breaks security. That may be acceptable if you sign a file using an SSH key, but it won't fly with sshd. -- Christian "naddy" Weisgerber naddy@xxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
