On Tue, Apr 15, 2025 at 01:55:35PM -0700, Andrey Jivsov wrote:
> I don't think that standalone ML-DSA should be adopted.
>
> There is time to move to a non-hybrid X.509 and digital signatures in the
> future.
>
> This topic has implications to availability of X.509 certificates, as
> there is a real risk that CAs will prefer standalone ML-DSA to the
> exclusion of hybrids, and also that other protocols will be limited to
> standalone ML-DSA.
But CAs do not choose EE keys, the key in the CSR is chosen by users.
And CAs can start to use ML-DSA to self-sign trust-anchor certs or sign
intermediate issuer (subordinate CA if you prefer that term)
certificates whether or not ML-DSA is a defined signature algorithm in
TLS.
I support adoption, will review, and don't see a compelling reason to
delay adoption. Are we likely to produce a materially different spec
if this is delayed and for how long?
--
Viktor.
$ posttls-finger -c -Lsummary dukhovni.org
posttls-finger: Verified TLS connection established
... TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519MLKEM768
server-signature ML-DSA-65 (raw public key)
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
