On Mon, Apr 06, 2026 at 03:09:03PM +0000, Salz, Rich wrote: > * > >> 65536-bit RSA is "more secure" than 2048-bit RSA, is that a > compelling argument to never use 2048-bit RSA, and always use 65536-bit RSA? > > * > This is comparing small apples and big apples whereas the comparison > under discussion is "apples concatenated with oranges" vs. "oranges only". > > Why did we standardize ECC signatures over moving from 2K RSA to 4K > RSA? Why did we standardize ECDH key exchange over classic DH? Almost > all the arguments pretty much came down to efficiency of size, > computation, etc. > > Are you so confident of all global deployments of TLS that you can > assert that pure MLKEM is never worth the efficiency gain? And who > would you believe if they told you otherwise?
Who is that addressed to, Usama or Viktor? I can't tell; maybe that's just an artifact of Outlook being a crappy MUA. Anyways, Viktor is not against publication, but wants guidance saying that at this time we prefer hybrids, but obviously that would not prevent use of non-hybrids. I don't think anyone in this sub-sub-thread is arguing that there is no case where non-hybrid performance wins by enough to justify it. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
