On Wed, Jul 16, 2025 at 11:15 PM D. J. Bernstein <d...@cr.yp.to> wrote:
> Bas Westerbaan writes: > > From a security standpoint, I see little value in using SLH-DSA over > > (hybrid) ML-DSA unless you also use a different key agreement. > > Sorry, can you please clarify the rationale here? > > I agree that the security of TLS collapses unless the KEM _and_ the > signature system are both secure. In particular, TLS using ML-KEM and > SLH-DSA needs both ML-KEM and SLH-DSA to be secure; TLS using ML-KEM and > ML-DSA needs both ML-KEM and ML-DSA to be secure. > > But how are you concluding that TLS using ML-KEM and SLH-DSA has risk as > high as TLS using ML-KEM and ML-DSA? > I'm not concluding that, Dan. Instead of turning this into a close reading exercise, let me get back to the heart of the matter (prioritisation), and ask you what should be the top three documents this working group should pursue. Best, Bas > > ---D. J. Bernstein > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
