It's not really two choices: ML-DSA is three and composites are 13. Deploying PQ is great, but if both ends don't accept the same thing, then we could've just as well not deployed it. Everyone agrees there are too many variants of composites, but when it comes time to choose which ones to include in a short list everyone disagrees. In the past I favoured composites, but given this fragmentation which we haven't been able to solve, and the limited security benefit anyway given there is no HNDL equivalent, the reality is that pure ML-DSA seems to be most interopable *and thus most secure* choice. To be clear I wouldn't object to composites being standardised, but they're just not useful if there is not an obvious choice.
On Wed, Apr 15, 2026 at 10:36 PM Wang Guilin <Wang.Guilin= [email protected]> wrote: > Something like half and half to support more on ML-DSA or Composite ML-DSA > for TLS 1.3. Discussions are not just about technologies, but also > confidence etc. > > So, why not take action to both? > > Then, ML-DSA document goes through WG last call, and to start a WG > adoption call for Composite ML-DSA draft. > > Just like if we are not sure what customers will like, so we offer two > courses for them to choose. > > In a little long time, it is quite likely that both become popular. > > Guilin > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
