On Tue, Aug 23, 2022, at 00:11, Kris Kwiatkowski wrote: > As X25519 is not FIPS-approved, the lab won't be able to test it,
OK, hypothetical question, but maybe an important one. Why would a certification lab care? We compose secrets with non-secrets all the time, so even if X25519 were replaced with a public value, as long as Kyber is approved, can they not proceed to certify on the basis of the strength of the Kyber algorithm and its implementation? Or, more realistically, maybe the composition method can be approved, just as composing a secret with "chickenchickenchicken" can be rendered safe. That way, composing with an arbitrary primitive might be considered safe if the composition method is approved. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls