Combining posts from two people into one answer. On 16/04/2025 00:02, Benjamin Kaduk wrote: > > I can see a case being made that this draft does improve the deployability of > TLS if we start with a baseline of draft-ietf-tls-ecdhe-mlkem and note that > that mechanism is not deployable in some environments (I guess, ones with some > kind of strict FIPS-only requirement, though I'm not conversant in the details > of such an environment).
A question (not necessarily for Ben): Are there any concrete/specific environments that we know about that will need non-hybrid PQ KEMs for reasons other than national regulatory reasons? Yes. I.e., not only for regulatory reasons. Not to mention that it makes sense to me too, but who am I (that’s a rhetoric question – please don’t try to answer it 😃). If so, I'd like to understand more about why and don't (or have forgotten:-). Because our experts evaluated all the relevant risks, and concluded that while in theory indeed Crypto_Strength(Hybrid) = max(Crypto_Strength(ECC), Crypto_Strength(ML_KEM)), in practical deployments there are other factors to consider. And we worry about things other than theoretical stuff on paper. I prefer to conclude my argument on this point, rather than diving into gory details. If not, then a) adoption of this draft really does require us to figure out what we'll do when the next country's choices are proposed, (which we've not) and b) I think does argue for pushing this to the ISE rather than adopting. I strongly oppose this. Hey, I'm just working for Acme Logistics, a small consulting company. 😃 Likewise. 😃
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
