I support Joseph's proposal. One teensy nit, given the description of the field, should we mention this is a "SHOULD NOT"?
On Wed, Nov 5, 2025 at 9:18 AM Bellebaum, Thomas <thomas.bellebaum= [email protected]> wrote: > So the WG rejects "D" as a means to warn against non-hybrids with some > resoning that D is only "for weak cryptographic algorithms" [1], and would > group it "with NULL ciphers, RC4, DES, EXPORT ciphers, MD5, etc" [2]. > In a vacuum, to me the more egregious inconsistency is that we're not marking traditional cryptography as "D": we know for sure they'll fall to quantum attack, whereas practical attacks on (hybrid) ML-KEM-768 are mere speculation. I do think it's better to wait a bit before marking traditional crypto as "D", but not too long. Best, Bas
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
