XMSS is a stateful post-quantum signature scheme.
- Post-quantum security for _online_ authentication is not important
until quantum computers become practical; there's no danger of
retroactive forgery in sessions that have already completed.
- As a stateful signature schemes, XMSS is qualitatively different
from all the other ones sshd supports, requiring additional
administrative care: roll back the state (e.g., from a disk backup
or VM snapshot), and you've shot yourself in the foot.
If users want XMSS keys, they can make them explicitly, but there's
no need for this to be enabled by default.
Discussed with christos offline.
aafff8763a