I support the adoption. I also think we will end up standardizing pure ML-DSA
anyway.
Modify the TLS protocol to rely on multiple certificates (one of which might
be a traditional RSA certificate and one an ML-KEM only certificate)?
+1. Composite signatures are also interesting, but since TLS already includes
certificate negotiation, this option seems like a better way to reduce
certificate size._______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org