ZjQcmQRYFpfptBannerEnd I happen to think that standalone ML-DSA in TLS is a controversial issue.
And I respectfully disagree. As been pointed out already, you cannot authenticate tomorrow on somebody else yesterday’s connection. In practice, PQ authentication is not an immediate issue in a sense of "record now, decrypt later". Exactly. Except that my conclusion from this is – no hybrid is necessary. Either move to PQ, or remain with Classic and keep observing/studying PQ. There is also an issue of what signatures in X.509 certs will look like. Especially in CA certificates, these may favor ML-DSA+ECC v.s. ML-DSA, so there would need to be support by TLS stack for the hybrid for that reason. This all is based on the assumption that ML-DSA would fail, but ECC won’t. I find this highly improbable.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
