+1 for publication for the same reasons. I suggest for Dierdre to explicitly call out in the Sec Considerations section the security advantage of PQ/T hybrid vs PQ only and reference the hybrid draft and other appropriate docs discussing it. That way, uninformed implementers or adopters can be educated about the options. FWIW, ML-KEM was developed by mostly European academia and industry cryptographers, not by "bad states".
-----Original Message----- From: Jan Schaumann <[email protected]> Sent: Tuesday, November 25, 2025 9:43 AM To: [email protected]; [email protected]; [email protected] Subject: [EXTERNAL] [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Sean Turner via Datatracker <[email protected]> wrote: > > Subject: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26) > > This message starts a 3-week WG Last Call for this document. > > Abstract: > This memo defines ML-KEM-512, ML-KEM-768, and ML-KEM-1024 as > NamedGroups and and registers IANA values in the TLS Supported Groups > registry for use in TLS 1.3 to achieve post-quantum (PQ) key > establishment. The abstract makes the intent clear; setting RECOMMENDED=N in the registry is additionally explicit. With that, I support publication. -Jan _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
