Yep, the upcoming SP 800-227 draft says that officially, order doesn't matter, at least in terms of the hybrids defined for TLS 1.3: https://doi.org/10.6028/NIST.SP.800-227.ipd<https://urldefense.com/v3/__https:/doi.org/10.6028/NIST.SP.800-227.ipd__;!!GjvTz_vk!TMdFzMmPbXvDxX6HLe0-HAXMFgVJDAGr5jXeL5YTpxpQwJupRVh_2kTLLqZoN3_ndYV9vC6mDnZVMR26p6VAJQ$>
Great, thanks for the link. I don't know if "anything" hybrid with ML-KEM is theoretically FIPS but it does make things easier. Yeah, which is why I put it in quotes. I didn’t see anything in that doc that limits it to TLS. So applicable to SSH IPSEC etc.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
