> -----Original Message----- > From: D. J. Bernstein <d...@cr.yp.to> > Sent: Thursday, November 21, 2024 10:06 AM > To: tls@ietf.org > Subject: [TLS] Re: ML-DSA in TLS > > Scott Fluhrer (sfluhrer) writes: > > Might I ask what are we arguing about? > > This thread is on a draft proposing Dilithium for TLS rather than > ECC+Dilithium for TLS.
Yes, I've been following the thread. My real question is "why is there such push-back from such a small change?" I would understand it if there were a real security vulnerability at stake, however if we believe that ML-DSA has a real security vulnerability, we ought to abandon it entirely (and I would agree that would be unreasonable) You make the point that having ECC as a back-up is a reasonable trade-off (and I would personally agree with you on that). However, not everyone feels that way, and I don’t believe that it is reasonable for the working group to demand that everyone make that same trade-off (especially since, from the working group's perspective, allowing such differing trade-offs is just assigning a few additional code points). On a side note: if this working group feels that having hybrid/composite certificates is the way to go, we need to tell that to the LAMPS working group. LAMPS provides tools for TLS to use - if we want something from that tool, we ought to inform them. If they don't hear of any need, they might abandon their efforts. _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
