Hi, I just looked at the presentation from the TLS session. My views:
- I think the order of P256 and MLKEM should be switched, irrespectively of NIST's current discussion. Even if NIST do not change their current specifications, I think long-term FIPS compliance is much more important then short-term FIPS compliance. - Don't touch X25519MLKEM768, not even the name. Just make it a rule that the name is in the opposite order. - I think the draft should be adopted - I think the draft should be standards track - I think all three code points should be RECOMMENDED=Y - I think the draft should update RFC8446bis to make X25519MLKEM768 MTI. I think IETF should send a clear message that TLS implementations should migrate to quantum-resistant key exchange asap. X25519MLKEM768 is already the de facto standard. At some point we need a quantum-resistant MTI and I don't see any other option than X25519MLKEM768 and I don’t see any reason to wait. Key exchange and signatures can be handled independently. Cheers, John
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
