On Wed, Apr 08, 2026 at 01:56:43PM +0000, Salz, Rich wrote:
> # Security Considerations {#security-considerations}
>
> This document defines standalone ML-KEM key establishment for TLS 1.3.
> A PQ/T hybrid combines a post-quantum algorithm such as ML-KEM. with
> a traditional algorithm such as Elliptic Curve Diffie-Hellman (ECDH)
> The IETF is working on an RFC that defines several such key
> establishment mechanisms, ML-KEM with a combining ECDH in
> {{ECDHE-MLKEM}}.
>
> Both documents have IANA registry entries with an `N` in the
> recommended column. Quoting from the registry {{TLSREG}}, "\[this]
> does not necessarily mean that it is flawed; rather, it indicates that
> the item ... has limited applicability, or is intended only for
> specific use cases." Those developing or deploying TLS 1.3 with either
> encapsulation method will have to determine the security and
> operational considerations when choosing which mechanism to support.
This framing is I think unopinionated to the point of avoding mention of
the specific risks that motivate hybrids, and the need to consider those
risks before choosing a non-hybrid, with a hybrid as the prudent default
choice when in doubt.
I don't see it as sufficient for a "rough" consensus that both:
- The technical specification is sound, **AND**
- The security considerations adequately cover the questions
that implemtnations and users need to consider.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
