On Tue, Jul 30, 2019, 12:52 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> > I'm neutral as to how we represent this stuff for the moment > as I think it's too early to tell until we get closer to the > end of the algorithms competition. > Part of the input being provided is deployability experiments happening now in TLS. > > That said, I do want to second this... > > On 30/07/2019 19:41, Scott Fluhrer (sfluhrer) wrote: > > Here is one opinion (mine, but I'm pretty sure it is shared by > > others): the various NIST candidates are based on hard problems that > > were only recently studied (e.g. supersingular isogenies, Quasicyclic > > codes), or have cryptanalytic methods that are quite difficult to > > fully assess (e.g. Lattices). Even after NIST and CFRG have blessed > > one or more of them, it would seem reasonable to me that we wouldn't > > want to place all our security eggs in that one basket. We currently > > place all our trust in DH or ECDH; however those have been studied > > for 30+ years - we are not there yet for most of the postquantum > > algorithms. > > > > Hence, it seems reasonable to me that we give users the option of > > being able to rely on multiple methods. > The only person with whom I've spoken who said he'd plan to > deploy some of this soon is a VPN operator who explicitly > wanted to start early and use >1 PQ scheme (3-4 is what he > said) plus a current scheme. His expectation was that that'd > settle down to one PQ scheme, or one PQ and a current one, > in time, but that time may be a decade after he'd like to > start. > > So, to the extent it matters, count me as a +1 for supporting > that. > > Cheers, > S. > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
