I'm neutral as to how we represent this stuff for the moment as I think it's too early to tell until we get closer to the end of the algorithms competition.
That said, I do want to second this... On 30/07/2019 19:41, Scott Fluhrer (sfluhrer) wrote: > Here is one opinion (mine, but I'm pretty sure it is shared by > others): the various NIST candidates are based on hard problems that > were only recently studied (e.g. supersingular isogenies, Quasicyclic > codes), or have cryptanalytic methods that are quite difficult to > fully assess (e.g. Lattices). Even after NIST and CFRG have blessed > one or more of them, it would seem reasonable to me that we wouldn't > want to place all our security eggs in that one basket. We currently > place all our trust in DH or ECDH; however those have been studied > for 30+ years - we are not there yet for most of the postquantum > algorithms. > > Hence, it seems reasonable to me that we give users the option of > being able to rely on multiple methods. The only person with whom I've spoken who said he'd plan to deploy some of this soon is a VPN operator who explicitly wanted to start early and use >1 PQ scheme (3-4 is what he said) plus a current scheme. His expectation was that that'd settle down to one PQ scheme, or one PQ and a current one, in time, but that time may be a decade after he'd like to start. So, to the extent it matters, count me as a +1 for supporting that. Cheers, S.
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
