On Thu, Apr 09, 2026 at 09:13:42PM +0100, Stephen Farrell wrote:
> As you might expect, I do not think this should be published
> at this time without there being guidance as to usage. From
> my POV the same goes for any RFC for any newish pure PQ.
To be honestly, I actually did not expect you to object at this time.
Unlike the case with key exchange, if ML-DSA is later compromised there
is no risk to the confidentiality or integrity of past connections.
The need for hybrids here is rather questionable, and the hybrid
signature landscape is much too diverse, with novel ad hoc encodings
I am not inclined to implement. My preference is to entirely skip
the hybrid (composite) signature algorithms as a unnecessary bridging
technology nobody will need.
> In contrast to KEMs, IMO the guidance for signatures in TLS would be
> to just not deploy them for now, but only to do experiments in case
> this is needed in future.
It seems that "future" will be with us quite soon, whether or not the
CRQCs that are motivating the accelarated deployment are delayed. So
implementaitons need to get ready.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
