Hiya,
I think that was more directed at Usama than me, but I'll choose to answer anyway in case it's useful... On 09/04/2026 23:54, Andrei Popov wrote:
Just for my understanding: you'd be OK publishing something like draft-reddy-tls-composite-mldsa-09 - Use of Composite ML-DSA in TLS 1.3<https://datatracker.ietf.org/doc/draft-reddy-tls-composite-mldsa/ (assuming it was WG-adopted, etc.)?
I'm not at all convinced composite signatures have much value but would not be ok with that draft on another basis, which also affects the draft being WGLC'd - IIUC, TLS, and in particular, web server and acme packages, don't yet have practical ways of managing multiple TLS server certs for the same origin, and composite signatures seem to require that, so I think we'd be getting too far ahead of the game in standardising the composite sig draft you mentioned until more experimentation has been done. If this pure ml-dsa signatures draft is being proposed as a way of just switching over from e.g. rsa/eddsa/ecdsa to ml-dsa then I'm not at all sure that "just switch over" idea is tractable for real deployments, so, again, more experimentation is warranted, but not widespread deployment. Cheers, S.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
