FWIW and probably not relevant, DoD CAC has never used DSA. FORTEZZA used DSA.
-----Original Message----- From: Alicja Kario [mailto:hka...@redhat.com] Sent: Monday, December 9, 2024 2:23 PM To: D. J. Bernstein <d...@cr.yp.to> Cc: tls@ietf.org Subject: [TLS] Re: draft-connolly-tls-mlkem-key-agreement On Saturday, 7 December 2024 23:32:03 CET, D. J. Bernstein wrote: > Watson Ladd writes: >> Having MLKEM without a hybrid as an option in TLS when the >> interoperable choice is a hybrid > > Some previous messages claim that there's a split between customers > demanding hybrids and customers demanding non-hybrids so "we'll end up > standardizing both". If the claim is true (I'm skeptical about the > non-hybrid part) and IETF acts on it (which is what I'm objecting to), > then how exactly does a hybrid end up as "the interoperable choice"? same way that when DOD CAC was using DSA, long after no commercial CA was using DSA, the public Internet servers that would accept those CAC's were perfectly happy using RSA server keys so that regular browsers were able to connect to them, even without use of a CAC If no browser will implement pure ML-KEM (and it very much looks so), then they will have to provide support for secp256r1MLKEM768 group to allow connections from regular browsers: hybrids will be the interoperable choice -- Regards, Alicja (nee Hubert) Kario Principal Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
