Use of the HSS and XMSS Hash-Based Signature Algorithms in Internet X.509 Public Key Infrastructure
draft-ietf-lamps-x509-shbs-13

# Gunter Van de Velde, RTG AD, comments for draft-ietf-lamps-x509-shbs-11

# The line numbers used are rendered from IETF idnits tool: https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-lamps-x509-shbs-11.txt

# Thank you for the work spending in this document. I found it hard to read, but i suspect that is because of my unfamiliarity with the technologies documented within this text.

# The document does not have a terminology section explaining the abbreviations used in the document. Consider adding such section. Sometimes an abbreviation is expended upon first usage, sometimes it is not, for example "OID" 

#DETAILED COMMENTS
#=================

116	   A stateful HBS private key is a finite collection of OTS keys, hence
117	   only a limited number of messages can be signed and the private key's

GV> The statement "A stateful HBS private key is a finite collection of OTS keys" 
is mostly correct, but it can be made more precise. What about the following:

"
A stateful HBS private key consists of a finite collection of OTS keys, along 
with state information that tracks the usage of these keys to ensure the 
security of the scheme.
"

122	   longer signing time.  Due to the statefulness of the private key and
123	   the limited number of signatures that can be created, stateful HBS
124	   schemes might not be appropriate for use in interactive protocols.

GV> Would the following not be a more digestible textblob to say the same:

"
Because the private key in stateful HBS schemes is stateful and the number 
of signatures that can be generated is limited, these schemes may be 
unsuitable for use in interactive protocols.
"

# Orie Steele, ART AD, comments for draft-ietf-lamps-x509-shbs-12
CC @OR13

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-lamps-x509-shbs-12.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Comments

### audited before the signature is published 

```
172	   In each of these cases, the operator is able to control their signing
173	   environment such that signatures are generated in hardware
174	   cryptographic modules and audited before the signature is published,
175	   in order to prevent OTS key reuse.
```

The phrasing here is tripping me up a bit.
I think auditing prevents OTS key reuse, and that audits should be completed before a signature is produced.
I am not sure what publishing a signature means in this context.
Later in the document freezing and auditing is discussed, perhaps this could be explained better with reference to that section.

## Nits

### possible -> practical?

```
192	   stateful HBS public key in the subordinate CA certificate may be
193	   possible.
```

Thank you to Stewart Bryant for the GENART review.

Thank you Russ Housley and Daniel Van Geest for answering my DISCUSS and COMMENT feedback.

Beside the lack of justification for the intended status in the shepherd write-up, no INT specific comments.