Eric Rescorla writes: > It's important to distinguish between two senses of the word "recommend".
I'd expect the first wave of proposals to be asking the WG to say Recommended=Y for various curve+PQ hybrids. There will be an annoyingly large number of options on the PQ side---for example, for different security levels and for patent avoidance---and I'd expect a tricky discussion of which options to recommend for TLS. I don't think it's a good idea to wait until then to figure out the curve side. I'd like us to simplify the curve side by focusing on X25519+PQ, just like most (I'm not saying all!) post-quantum hybrids so far. This means saying no to brainpoolP256*+PQ, SM2+PQ, P-256+PQ, etc. (Yes, people can register whatever they want and use it if client and server agree, but it's reasonable to presume that Recommended=Y makes a difference---otherwise, why is IETF maintaining that list?) There have been other comments instead aiming for focusing on P-256. That's a big enough split that making progress obviously requires understanding the reasons for the divergence. The underlying rationales raise interesting factual questions, and continued fact-finding by the WG is a productive way forward. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
