I consider risks associated with hybrids, so my deployment will not use them.
Care to share? Perhaps you know something that many others don’t. I know that (purely) cryptographically “as strong or stronger” is not the end. Which many others don’t seem to take into account, or even care about. There’s maintenance of the code for both parts of the KEM and ensuring they’re properly integrated, maintenance of parallel PKI structures, need to allocate the costs for two moves [1] instead of one which already makes some users argue (which can be a royal pain in a large deployment), likely many other things I’m too lazy to concentrate on now (besides, there’s that feeling that I don’t need to convince “my” clientele at all, and there’s little chance to convince this audience anyway, which dampens the eagerness to strive). In short, all those factors of actually running a large conglomerate of organizations… [1] One move – to the PQ (in whatever form), then – once people (even those now-dissenting here) decide that enough decades have passed, and we can consider Lattice-based as reliable as ECC (apparently, two decades of study is not enough – would three suffice? Four? Five? Would we still want hybrids even after CRQC appear?) – another move to dump the Classic part.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
