. . . however forceful, or insistent on being heard, Dan may be at times, history has shown that he is often enough ultimately proved right, years or decades later.
An arguable point. However "inconvenient", IMHO his voice should not be suppressed. Of course. However, there must be a limit, n’est c’est pas? If his strong view is that pure PQ KEMs (probably not just ML-KEM/Kyber), are too novel to be responsibly relied on without a classical fallback, then he should IMHO able to forcefully make that case. And didn’t he “forcefully made that case” plenty of times already? How many times is it OK to “forcefully make that case”, until the person is told “we understand what you’re saying, please stop repeating yourself”? Shouldn’t once be enough – especially if the “case” is as “verbosely-presented” as this? By now I think everybody on this list, and plenty of folks outside, know that Dan is strongly against allowing pure ML-KEM “without a classical fallback”. Some cryptographers (including BSI and a few other European government agencies) agree with him, other cryptographers (including NSA, GCHQ, etc.) disagree. Those who agree with BSI – let them use Hybrid KEM, as they have their reasons. Those who agree with NSA – let them use pure ML-KEM, as they have their reasons (shockingly, disagreeing with Dan and a few other members here). I for one am strongly against reiterating the above ad nauseum.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
