On Sat, Apr 01, 2023 at 02:12:14AM +0000, Kampanakis, Panos wrote: > Hi Bas, > > I prefer for the MTI to be P-256+Kyber768 for compliance reasons.
Uh, I think this thing is too experimental to have any MTI. > It would be trivial for servers to add support for both identifiers > as they introduce Kyber768, but you are right, the new draft should > include an MTI identifier. The problem with having both is that it bifurcates the system. While being on wrong side is not a hard failure, it is still rather annoying perf hit. For clients to support either, servers must support both. At least with P-384 hybrid, folks are less likely to deploy the thing unless needed. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
