I support the adoption. I also think we will end up standardizing pure ML-DSA anyway.

Modify the TLS protocol to rely on multiple certificates (one of which might be a traditional RSA certificate and one an ML-KEM only certificate)?
+1. Composite signatures are also interesting, but since TLS already includes certificate negotiation, this option seems like a better way to reduce certificate size.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to