On Fri, Nov 15, 2024 at 3:56 PM Watson Ladd <watsonbl...@gmail.com> wrote:
> ... > Why not hash based signatures? > I think that the stateful ones are perfectly suited for certifications in X.509 certs, but in the TLS handshake this has to be Sphincs+, at 16.2KB per signature at the AES-192 security level. In addition to size concerns, it's not allowed in CNSA 2.0. Are vendors considering SPHINCS+ for this purpose?
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
