Dear Dr. Blumenthal I catch up here given that anyway your recent answer to my concerns is also related to this thread and as per Toerless’ advice it would be better to have this discussion here.
Admittedly your answer (reported here below) was not addressing my concerns. A hybrid still has a chance of being secure if old good crypto would be successfully attacked, so your argument does not stand. More in general, about the perception of risk, I do not see the reason why to have an optimistic attitude when it is about security. Actually, in security the right attitude towards risk is to be “short and mid-term pessimistic” (with the long-term to be defined), and I think that in a transition phase (which will likely last longer than we may think) this is indeed the appropriate attitude to have. To build confidence in RSA took 20 years or more. I do not expect that PQC will have such a remarkably different path. Not sure fragmenting options is wise now, neither for security (first obvious reason) nor for the market. Thanks for your kind attention Fabiana [TLS] Re: [EXT] Re: Fwd: New Version Notification for draft-barnes-tls-this-could-have-been-an-email-00.txt "Blumenthal, Uri - 0553 - MITLL" <[email protected]> Wed, 25 February 2026 17:10 UTCShow header<https://mailarchive.ietf.org/arch/msg/tls/pdo-kN5ynLXpOxC55mZxQot7LZo/> Because the common good sense says that the assurance of the ‘“old” good crypto’ is over, which is the whole point of this exercise. When your data has a long life - only PQ part matters, otherwise it’s just whether it will be compromised even sooner. When your data is short-lived - you don’t need the PQ part, and may not care if it’s present, weak, or whatever. — Regards, Uri Secure Resilient Systems and Technologies MIT Lincoln Laboratory > On Feb 25, 2026, at 11:50, DA PIEVE Fabiana > <[email protected]> wrote: > > > This Message Is From an External Sender > This message came from outside the Laboratory. > In my personal capacity, I have to say that in all this discussion it is not > clear to me yet the main issue - the reason why we would go for a path that > is not based on a common good sense, by removing the assurance of security > given by “old” good crypto. This adds up to the fact that the cost of keeping > it is actually cheap, and to the fact that an outstanding work has been done > already to deploy hybrid ML-KEM in TLS. Hybrid ML-KEM is such a cheap way to > reduce risks. So, overall, I still cannot crystallize in my head what is the > advantage in security and costs in throwing away ECC and how to reconcile > this with what is pushed in my own part of the world. Not sure what would be > the advantage in fragmenting things now. I would like to invite all EU > researchers or anyway all those with whom I am contact to write to me to help > me increasing my understanding of the exceptional need for all this, and > eventually share their technical concerns, to see if they overlap with mine, > in case you would have time and you would be willing to do so. I thank > everybody here for the discussion. > > Fabiana Da Pieve > Program Manager > European Commission > DG Communications Networks, Content and Technology > Unit C4 – Emerging & Disruptive Technologies Fabiana Da Pieve Program Manager [cid:[email protected]] European Commission DG Communications Networks, Content and Technology Unit C4 – Emerging & Disruptive Technologies
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
