On Thu, Oct 24, 2024 at 03:15:38AM +0000, Scott Fluhrer (sfluhrer) wrote: > In my opinion, we’ll end up standardizing both. At the very least, > I (Cisco) have some customers who want ML-DSA only, and other > customers that insist on hybrid, and so we’ll need to support both. > > Of course, when it comes to hybrid, we have some options to sort > through. Do we: > > * Support a hybrid certificate (such as proposed in the LAMPS > wg)? > * Modify the TLS protocol to rely on multiple certificates (one > of which might be a traditional RSA certificate and one an > ML-KEM only certificate)? > > I can see reasons why either option makes sense; what does the > working group think?
I think of these two, only the hybrid certificate is viable. I think the multiple certificates apporach is extremely complex with highly nontrivial security considerations. The end result being extreme risk of serious security issues. As an example, Most of the currently proposed hybrid signatures are not strongly non-separable, which makes it unsafe to recompose keys. But having multiple certificates inherently allows recomposition. -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
