On Fri, Jun 7, 2024 at 11:41 AM D. J. Bernstein <d...@cr.yp.to> wrote:
> Eric Rescorla writes:
> > I'm struggling to understand what people think is at stake here.
>
> The WG will soon be faced with decisions regarding which curve+PQ
> hybrids to recommend for TLS.
It's important to distinguish between two senses of the word "recommend".
- Is marked "Recommended=Y" in the registry.
- Having the RFC say that you SHOULD/MUST support an algorithm.
The word "recommended" notwithstanding, these are different things.
For example, RFC 8446 says:
A TLS-compliant application MUST support key exchange with secp256r1
(NIST P-256) and SHOULD support key exchange with X25519 [RFC7748].
But the IANA registry also lists X4448 and secp384r1 as "Recommended=Y".
So, what configuration are you advocating for here? Here are some options:
P-256+ML-KEM X25519+ML-KEM
----------------------------------------------------
Recommended=Y, MAY Recommended=Y, MAY
Recommended=N, MAY Recommended=Y, MAY
Recommended=Y, MAY Recommended=Y, MUST/SHOULD
Recommended=N, MAY Recommended=Y, MUST/SHOULD
One of these? Or some other?
-Ekr
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
