Yes, we need SecP384 hybrids. More generally, I see two separate hybrid key exchange drafts under discussion in the TLS WG: - draft-ietf-tls-hybrid-design-10 refers to pre-standard Kyber; - draft-kwiatkowski-tls-ecdhe-mlkem-01 defines hybrids with ML-KEM 768.
Both drafts are on the Informational track. Do we really need two separate documents? Also, shouldn't this work be on the Standards track? Cheers, Andrei -----Original Message----- From: Alicja Kario <hka...@redhat.com> Sent: Friday, September 6, 2024 4:40 AM To: Kris Kwiatkowski <k...@amongbytes.com>; tls@ietf.org Subject: [EXTERNAL] [TLS] draft-kwiatkowski-tls-ecdhe-mlkem and P-384 Hello, What's the situation with other groups for TLS 1.3? Specifically, are there any plans to specify SecP384r1MLKEM1024? As mentioned in multiple emails already, high security system already have a strict requirement to use P-384 curve exclusively. Similarly, for post-quantum resistance they will be required to use ML-KEM-1024. Will you add it to the draft, or should we start work on a separate one that defines those hybrid algorithms? -- Regards, Alicja (nee Hubert) Kario Principal Quality Engineer, RHEL Crypto team Web: http://www.cz.redhat.com/ Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
