On Sun, Mar 22, 2026 at 02:13:10AM +0000, John Mattsson wrote:
> Stephen Farrell wrote:
> >I'd not say anything about combining QKD with pure ML-KEM as
> >that'd likely just add needless controversy.
>
> Agree. I think it’s best to keep it simple and use X25519MLKEM768 as
> the sole example. Since the external PSKs are also used for TLS
> authentication, I think the full recommendation should be to follow
> RFC8773(bis) with X25519MLKEM768, as suggested earlier.
If indeed RFC8773(bis) is employed in this context (which seems
prudent), then the requirement for "psk_dhe_ke" is implied by:
https://datatracker.ietf.org/doc/html/draft-ietf-tls-8773bis-13#section-5.1
and then the only thing left to decide is which "dhe" to use (e.g./i.e.,
X25519MLKEM768). Since RFC8773(bis) is in the RFC editor queue,
presumably it is blocked by 8446(bis). Is there yet a clear indication
of when both might be published?
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
