Stephen Farrell wrote: >Without going into the details, I'm generally sympathetic to djb's >argument here, but also do recognise ekr's "we allow anyone to get >a RECOMMENDED=N code point" as valid.
+1 In addition to discussing security, it is a fact that many governments requires ML-KEM and ML-DSA to be hybritized. Standalone ML-KEM and ML-DSA are simple not deployable for any global companies: "PQC only in hybrid solutions, i.e. PQC + “Classical”, except for HBS" "Post-quantum algorithms must be hybridized with well-known pre-quantum algorithms." "strongly emphasizes the necessity of hybridation" "strongly recommends to use hybrid protocols" "If it is not possible to use hash-based signatures, use a hybrid of ML-DSA and EC-DSA or legacy RSA" For quantum-resistant KEMs I think we need to not only start discussing RECOMMENDED=Y but also MTI asap. Cheers, John https://pkic.org/events/2023/pqc-conference-amsterdam-nl/pkic-pqcc_stephan-ehlen_bsi_post-quantum-policy-and-roadmap-of-the-bsi.pdf <https://pkic.org/events/2023/pqc-conference-amsterdam-nl/pkic-pqcc_stephan-ehlen_bsi_post-quantum-policy-and-roadmap-of-the-bsi.pdf> https://pkic.org/events/2023/pqc-conference-amsterdam-nl/pkic-pqcc_jerome-plut_anssi_anssi-plan-for-post-quantum-transition.pdf <https://pkic.org/events/2023/pqc-conference-amsterdam-nl/pkic-pqcc_jerome-plut_anssi_anssi-plan-for-post-quantum-transition.pdf> https://cyber.gouv.fr/sites/default/files/document/follow_up_position_paper_on_post_quantum_cryptography.pdf <https://cyber.gouv.fr/sites/default/files/document/follow_up_position_paper_on_post_quantum_cryptography.pdf> https://cyber.gouv.fr/sites/default/files/document/pqc-transition-in-france.pdf <https://cyber.gouv.fr/sites/default/files/document/pqc-transition-in-france.pdf> http://kth.diva-portal.org/smash/get/diva2:1902626/FULLTEXT01.pdf <http://kth.diva-portal.org/smash/get/diva2:1902626/FULLTEXT01.pdf> On 2024-11-21, 22:02, "Stephen Farrell" <stephen.farr...@cs.tcd.ie> wrote: Hiya, Without going into the details, I'm generally sympathetic to djb's argument here, but also do recognise ekr's "we allow anyone to get a RECOMMENDED=N code point" as valid. That said, if the WG adopt *anything* with RECOMMENDED=Y in this space (incl. for KEMs) then I think the onus is on the WG to write down guidance for the entire space, especially as there will be codepoints for non-hybrids. In summary: I don't think we should go back to previous policies where we'd try prevent registration of non-hybrids, but I do think we really need to try reach consensus on guidance text for the whole slew of PQ possibilities for TLS. (And IMO that guidance would be along the lines of djb's argument.) Cheers, S. PS: It seems pretty ironic to me that ambiguities in NIST and NSA text are turning out such a barrier to getting PQ stuff done when at the same time they're some of the entities trying to (again IMO) rush a pile of things here. (To be clear: for me, everything PQ except hybrid KEMs is a thing for which we ought hasten much more slowly.)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
