On Fri, Apr 10, 2026 at 10:04:08AM -0700, Eric Rescorla wrote: > > > is more secure > > > > is a point of debate. The text on #main currently does not state as fact > > one side as more secure than the other > > As Deirdre says, this is contested.
There is no doubt that hybrids are at least as secure as their individual components. And they are more secure than one of their individual components -- the point is that we don't necessarily know which of those components is weaker. I propose we phrase it in that way then: - hybrids at least as secure as their most secure component (certainly when the hybrid is designed correctly, and the claim does need some analysis, but I think no one disputes that a well-designed hybrid _can be_ t least as secure as...) - hybrids therefore are more secure than their least secure component - we don't know which component is weakest or which is strongest The last point is about the biggest points of contention: - Are CRQCs coming? Some say never. - Are any PQC algorigthms known-weak to NSA and/or other TLAs? Some say the risk is high of that. So don't make a statement either way, just say that one can be presumed weaked than the other but we don't yet know which. > [...] > > As I said, my preference is for hybrids, but I think trying to produce > some text that will achieve consensus that says, in essence, "hybrids > are better" is quite challenging and probably not worth the effort. > Rather, I think we should just encode it in the Recommended=Y field > and leave it at that. Certainly we need at least one algorithm with PQC as a component, or pure PQC, with Recommended=Y. At this point a pure PQC algo will not get Recommended=Y, so... Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
