On Tue, 7 Jan 2025 at 17:35, Filippo Valsorda <fili...@ml.filippo.io> wrote: > > 2025-01-07 14:16 GMT+01:00 John Mattsson > <john.mattsson=40ericsson....@dmarc.ietf.org>: > > Alicja Kario wrote: > >Can you point to examples of people actually using x448 (TLS group ID 30) in > >practice? > > > > I think that is the wrong question. > > > If no one deployed X448 I don't see why they would deploy X448MLKEM1024, so I > see no reason to standardize it. > > The reason to deploy SecP384r1MLKEM1024 is compliance. Like it or hate it. > > The obvious set of hybrids to standardize and implement is: > > the one everyone should use; > one that everyone who can't use (1) can use. > > I personally liked SecP256r1MLKEM768 for (1) because I need to carry an > optimized P-256 implementation for WebPKI certificates anyway, but > X25519MLKEM768 is fine, too. > > SecP384r1MLKEM1024 fits the bill for (2) while X448MLKEM1024 does not, both > for compliance transition reasons, and for "many libraries don't offer a X448 > implementation" reasons.
There are a list of hybrids here: https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=commands-kem-alg-technology-preview One of them is X448mlkem768. Anybody from IBM can comment ? _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
