I'd like to understand the argument for why a transition back to single
schemes would be desirable.
Having hybrids be the new standard seems to be a nice win for security
and pretty much negligible costs in terms of performance, complexity and
bandwidth (over single PQ schemes).
On 07/03/2024 00:31, Watson Ladd wrote:
On Wed, Mar 6, 2024, 10:48 AM Rob Sayre <say...@gmail.com> wrote:
On Wed, Mar 6, 2024 at 9:22 AM Eric Rescorla <e...@rtfm.com> wrote:
On Wed, Mar 6, 2024 at 8:49 AM Deirdre Connolly <durumcrustu...@gmail.com>
wrote:
Can you say what the motivation is for being "fully post-quantum" rather than
hybrid?
Sure: in the broad scope, hybrid introduces complexity in the short-term that
we would like to move off of in the long-term - for TLS 1.3 key agreement this
is not the worst thing in the world and we can afford it, but hybrid is by
design a hedge, and theoretically a temporary one.
My view is that this is likely to be the *very* long term.
Also, the ship has sailed somewhat, right? Like Google Chrome, Cloudflare, and
Apple iMessage already have hybrids shipping (I'm sure there many more, those
are just really popular examples). The installed base is already very big, and
it will be around for a while, whatever the IETF decides to do.
People can drop support in browsers fairly easily especially for an
experimental codepoint. It's essential that this happen: if everything
we (in the communal sense) tried had to be supported in perpetuity, it
would be a recipe for trying nothing.
thanks,
Rob
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
