Are we even discussing changing TLS 1.3 MTI at this point, for either hybrid or pure PQC?
Cheers, Andrei -----Original Message----- From: Nico Williams <n...@cryptonector.com> Sent: Thursday, April 17, 2025 11:31 AM To: Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> Cc: Thomas Bellebaum <thomas.belleb...@aisec.fraunhofer.de>; paul.wout...@aiven.io; tls@ietf.org Subject: [EXTERNAL] [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3 On Thu, Apr 17, 2025 at 05:56:56PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > Since It looks like 3/4 of the audience holds position similar to mine > - frankly, I don’t see why 3/4 must convince 1/4 that their position > is valid (usually, it’s the other way around). We don't "vote" because majorities _can be wrong_. At any rate it's hard to quantify the risks of pure PQ, and since there will be entities that insist on it for their own internal uses, and since the codepoint assignments exist, it's a bit over the top to say no when we can just insist that these not be MTI and hope that [unlike Dual_EC] pure PQ gets no usage outside of the orgs that require it. Though I'm not keen on pure PQ yet, I do believe that the WG Chair's call was correct, but not just because 3/4s support adoption, and I appreciate that the consensus is strongly that pure PQ not be MTI. Nico -- _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
