Re: [TLS] [Errata Held for Document Update] RFC8446 (6205)

Yeah, we talked about this one and came to a reasonable conclusion that was based on what I wrote at the time, but better because RFC 8773 exists. The added text: > In the absence of some other specification to the contrary, servers which are > authenticating with an external PSK MUST NOT send

[TLS] [Errata Held for Document Update] RFC7919 (4908)

The following errata report has been held for document update for RFC7919, "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid4908

[TLS] [Errata Held for Document Update] RFC8446 (5682)

The following errata report has been held for document update for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid5682 --

[TLS] [Errata Held for Document Update] RFC8422 (5468)

The following errata report has been held for document update for RFC8422, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier". -- You may review the report below and at:

Re: [TLS] [Errata Held for Document Update] RFC8446 (6205)

I believe that the current 8446-bis text addresses this. Martin? On Tue, Jan 16, 2024 at 4:59 PM RFC Errata System wrote: > The following errata report has been held for document update > for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". > >

[TLS] [Errata Verified] RFC8996 (7103)

The following errata report has been verified for RFC8996, "Deprecating TLS 1.0 and TLS 1.1". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid7103 -- Status: Verified Type: Editorial

[TLS] [Errata Held for Document Update] RFC8996 (7769)

The following errata report has been held for document update for RFC8996, "Deprecating TLS 1.0 and TLS 1.1". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid7769 -- Status: Held for

[TLS] [Errata Held for Document Update] RFC8446 (6205)

The following errata report has been held for document update for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid6205 --

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

On Tue, Jan 16, 2024 at 8:24 AM D. J. Bernstein wrote: > Bas Westerbaan writes: > > X-Wing is a KEM - not a combiner. > > Sure, but there's a combiner present inside it---and even advertised: > see "X-Wing uses the combiner" etc. at the beginning of this thread. > > If people are motivated by

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

Bas Westerbaan writes: > X-Wing is a KEM - not a combiner. Sure, but there's a combiner present inside it---and even advertised: see "X-Wing uses the combiner" etc. at the beginning of this thread. If people are motivated by things like http://tinyurl.com/5cu2j5hf to use the same combiner with a

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

> > The arguments for multiple KEMs are > stronger than the arguments for multiple combiners. > X-Wing is a KEM — not a combiner. I agree there should preferably be one go-to generic combiner. Insisting that X-Wing use that generic combiner, is not dissimilar to insisting that every KEM that uses

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

Jack Grigg writes: > As the paper states at the top of page 4, X-Wing includes the recipient's > X25519 public key "as a measure of security against multi-target attacks, > similarly to what is done in the ML-KEM design". Thanks for the data. Assuming arguendo that this matters (as in my first