> In other words, does CNSA 2.0 tolerate ECC, by effectively ignoring its > presence, or not?
From https://www.ietf.org/archive/id/draft-becker-cnsa2-tls-profile-00.html<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-becker-cnsa2-tls-profile-00.html__;!!GjvTz_vk!SIN74gSQMUoWRe2HgrSGcavXlJIBFbOVXhs32GuIxGoHhszT7qcuZVdMddF_GTVjmxOQzvSRSsYJXL2gT1s03A$>: "In order to meet the goal of a consistent security level for the entire cipher suite, CNSA TLS implementations MUST only use the algorithms listed in this document." That's ML-KEM-1024 and ML-DSA-87 only. It would be better if that statement were in the official CNSA document [1], such as a FAQ or something, and not in an IETF document submitted by an individual. For example in the CNSA 2.0 FAQ [2] there is a section on “Hybrids” in the which gives a subtly different opinion. Taken together, my answer to Andrey is “it seems to, yes” Perhaps we can get official clarification? [1] https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF [2] FAQ https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/1/CSI_CNSA_2.0_FAQ_.PDF
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
