On Mon, Mar 02, 2026 at 01:46:20PM -0800, Benjamin Kaduk wrote:
> I don't see any of that in this proposed text; my proposed text was attempting
> to achieve this goal by referencing the "sense of the security community
> recorded in {{HYBRID}}" and linking back to the use-cases in {{motivation}}
> that provide some justification to avoid hybrids for those use cases.
I think that *motivating* (justifying) the use of non-hybrids in the
draft would be a mistake. Even better than that is to NOT promote their
use at all. Just specify the how, not the why, and in the security
considerations enumerate and/or reference the various issues that make
non-hybrids potentially risky.
I don't expect that any particular "motivations" for avoid hybrids will
find consensus in this WG. They've in any case (from at least my
perspective) been rather weak at best. And yet I support publication,
not because these non-hybrid code points should be broadly used, but
rather because pretending they don't exist and won't be used won't make
it so.
A published RFC would be a more stable reference, and if published
through the IETF (rather than ISE), is more likely to have security
considerations we can live with, and no aspirational motivating use
cases that don't stand up to scrutiny.
Users who want to deploy these groups will do so at their own risk,
we may as well be sure to document those risks.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
