Address Kris comments about Section B.1 on FIPS

[johngray-dev]

Address Kris's comments:

ZjQcmQRYFpfptBannerEnd In the section "B.1 FIPS certification", the draft says:

• "algorithm to be [...] considered FIPS-approved even when one of the component algorithms is not" and then
• "overall composite should be considered full strength and thus FIPS-approved"

I think, the "full strength" may be misleading. Also the term is not clearly defined. Hence, it could be understood as "full strength of classical+PQ" and that is opposite to what NIST FAQ [1] says. I.e. let say MLDSA is FIPS-approved in a future, and we create composite with MLDSA-44 + some on-ramp signature that claims level 5. Does it mean the strength of that construct should be considered FIPS-approved with security strength of equal to level 2 or 5?

As this draft is now about creating composite signatures with MLDSA, so do we need B.1? The discussion about FIPS-approved dual signature schemes sounds like a great discussion to have, but in a different place (and ideally on CMUF forum).

My suggestion would be to remove B.1 to avoid spreading potentially misleading information about important topic.

Additional nit:

• The abstract says "Composite algorithms are provided which combine ML-DSA with RSA, ECDSA, Ed25519, and Ed448.". Shouldn't it say MLDSA only?

-- Kris Kwiatkowski Cryptography Dev

[johngray-dev]

change: overall composite should be considered full strength and thus FIPS-approved" to overall composite should be considered at least as strong and thus FIPS-approved"

• until FIPS deprecates RSA or EC...