Scott Fluhrer (sfluhrer) writes: > My real question is "why is there such push-back from such a small change?"
For the same reason there would have been pushback if the KEM rollouts had done PQ instead of ECC+PQ: that would have been reckless from a security perspective. Given how the two (KEM and DSA) are used, and what threats may exist against each of them, I think it’s perfectly fine to use PQ instead of ECC+PQ here. > however if we believe that ML-DSA has a real security vulnerability, > we ought to abandon it entirely We're not talking about the extreme case of deploying something today that has already been broken. We're talking about managing _risks_ of _future_ attacks. My crystal ball says that ECC will get broken before PQ, at least in case of ML-DSA.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
