Bas Westerbaan wrote: >In a vacuum, to me the more egregious inconsistency is that we're not marking >traditional cryptography as "D": we know for sure they'll fall to quantum >attack, whereas practical attacks on (hybrid) ML-KEM-768 are mere speculation. >I do think it's better to wait a bit before marking traditional crypto as "D", >but not too long.
Agree, all quantum-vulnerable crypto should be marked as “D" no later than 2035. Thomas Bellebaum wrote: >but the picture it paints is that there are already some hybrids with "D" yet >there are non-hybrids with "N", so "_surely_ hybrids are less safe” I think the picture it paints is that you should not use non-standardised cryptography except for experiments. I think the current text in the registry “Pre-standards version of Kyber768. Obsoleted by [draft-kwiatkowski-tls-ecdhe-mlkem-03]” seems pretty perfect. It tells the reader why the code point is deprecated and what to use instead. Cheers, John From: Bas Westerbaan <[email protected]> Date: Wednesday, 5 November 2025 at 09:45 To: Bellebaum, Thomas <[email protected]> Cc: [email protected] <[email protected]> Subject: [TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM I support Joseph's proposal. One teensy nit, given the description of the field, should we mention this is a "SHOULD NOT"? On Wed, Nov 5, 2025 at 9:18 AM Bellebaum, Thomas <[email protected]<mailto:[email protected]>> wrote: So the WG rejects "D" as a means to warn against non-hybrids with some resoning that D is only "for weak cryptographic algorithms" [1], and would group it "with NULL ciphers, RC4, DES, EXPORT ciphers, MD5, etc" [2]. In a vacuum, to me the more egregious inconsistency is that we're not marking traditional cryptography as "D": we know for sure they'll fall to quantum attack, whereas practical attacks on (hybrid) ML-KEM-768 are mere speculation. I do think it's better to wait a bit before marking traditional crypto as "D", but not too long. Best, Bas
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
