I support adoption. I don't think we having a (non-recommended!) scheme available that does not support hybrids is a problem, there are legitimate reasons to want that kind of key exchange, and as time progresses, non-hybrid key exchanges will become more and more commonplace, so why not have it already defined? Note that the draft as is does not recommend reusing keys, but rather notes that TLS does not disallow this option, and that the scheme therefore MUST be IND-CCA. That is simply an accurate security observation, and the flaw lies with TLS 1.3, not this draft.
On Wed, Apr 2, 2025 at 2:57 AM Martin Thomson <m...@lowentropy.net> wrote: > I think that adoption is fine. I might oppose the registration of a > codepoint that was Recommended: Y for reasons similar to what Stephen > described, but we can talk about that. > > On Tue, Apr 1, 2025, at 23:58, IETF Secretariat wrote: > > The TLS WG has placed draft-connolly-tls-mlkem-key-agreement in state > > Call For Adoption By WG Issued (entered by Sean Turner) > > > > The document is available at > > https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/ > > > > > > _______________________________________________ > > TLS mailing list -- tls@ietf.org > > To unsubscribe send an email to tls-le...@ietf.org > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschm...@google.com
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
