I understand that due to FIPS requirements, this is needed. However, I'm also going through this: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/RsQbm_AQfzs/m/19o76lsyCwAJ
Personally, hybrids should be the recommended choice. I think that the I-D draft-connolly-tls-mlkem-key-agreement should be carefully written to explain the risks involved. Will the authors consider a section 6.4 on risks involved with lattice-based structures ? I like what Simon Josefsson used in one of his drafts: "new research findings may be published at any time that may warrant implementation reconsiderations". On Thu, 3 Apr 2025 at 16:35, Joseph Birr-Pixton <jpix...@gmail.com> wrote: > > On Tue, 1 Apr 2025 at 14:00, Sean Turner <s...@sn3rd.com> wrote: >> >> We are continuing with our pre-announced tranche of WG adoption calls; see >> [0] for more information. This time we are issuing a WG adoption call for >> the ML-KEM Post-Quantum Key Agreement for TLS 1.3 I-D [1]. > > > I support adoption, and we have already implemented and shipped the draft. > > Thanks, > Joe > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
