I largely agree with Richard here. To recap some basic facts
0. TLS is algorithm agile and Supported Groups [0] are listed in an IANA registry 1. The TLS Supported Groups registry has the "Specification Required" policy which means that in practice anyone can register groups. 2. Setting a group to "Recommended=Y" requires IETF Consensus (and hence the approval of TLS WG). Typically "Recommended=Y" is intended to mean we think it provides an acceptable security. As background, right now P-256 and X25519 have "Recommended=Y" 3. Making an algorithm mandatory to implement requires IETF Consensus (and hence the approval of TLS WG). Currently P-256 is MTI, but X25519 is not. I find it fairly hard to believe that there will not be settings in which people want to use both X25519+ML-KEM and P-256+ML-KEM, just as they do X25519 and P-256 now, so I would certainly expect that we would see code point registrations for both, with the question being whether the TLS WG takes them up. The TLS WG could obviously choose not to document one of these hybrids but not the other, but assuming that there is demand, I think the most reasonable thing to do would be to document them both and mark them both Recommended=Y. I haven't heard a proposal to mark *either* MTI, so that discussion may be premature. I agree with Richard and others that the precise deployment numbers probably aren't dispositive on whether we should publish and/or standardize each of these. -Ekr [0] TLS models hybrids as if they were EC groups. On Tue, Jun 4, 2024 at 11:58 AM Richard Barnes <r...@ipv.sx> wrote: > This WG does not get to decide which hybrids will exist or be > standardized, unless it has implications on the TLS protocol, which it does > not. > > --RLB > > On Tue, Jun 4, 2024 at 2:51 PM Salz, Rich <rs...@akamai.com> wrote: > >> I urge the chairs to call cloture on this thread. There is nothing >> relevant for the working group here. >> >> >> >> I think that is premature. Yes, there is a lot of noise, but it was only >> one or two days ago that reasons for hybrids with both P256 and X25519 were >> given. >> > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
