On Mon, Apr 06, 2026 at 09:38:55PM +0200, Muhammad Usama Sardar wrote: > It deeply surprises me that IEEE is starting off its PQC transition with > non-hybrids rather than hybrids. If they have done no analysis, we should > tell them the risks and that hybrids are currently preferable. That's why I > keep emphasizing that we should first recommend hybrids and that risks > should be thoroughly mentioned in pure ML-KEM draft, if we are to publish > it.
Their trade-offs might be different to ours. Perhas they think that security in-depth means you'll use TLS at the application layer, with hybrids, and so if you use PQ-only at the network layer, in the worst case scenario you're still protected by the use of hybrids at the application layer. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
