On Saturday, 7 December 2024 23:32:03 CET, D. J. Bernstein wrote:
Watson Ladd writes:
Having MLKEM without a hybrid as an option in TLS when the interoperable
choice is a hybrid
Some previous messages claim that there's a split between customers
demanding hybrids and customers demanding non-hybrids so "we'll end up
standardizing both". If the claim is true (I'm skeptical about the
non-hybrid part) and IETF acts on it (which is what I'm objecting to),
then how exactly does a hybrid end up as "the interoperable choice"?
same way that when DOD CAC was using DSA, long after no commercial CA was
using DSA, the public Internet servers that would accept those CAC's were
perfectly happy using RSA server keys so that regular browsers were
able to connect to them, even without use of a CAC
If no browser will implement pure ML-KEM (and it very much looks so), then
they will have to provide support for secp256r1MLKEM768 group to allow
connections from regular browsers: hybrids will be the interoperable choice
--
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
