For clarification, are you talking about the hash-based signature scheme that the working group didn't think was worth adopting? Or the hash-based signature scheme(s) that no one has proposed adopting in TLS?
The hash-based signature scheme whose signatures will add significantly to certificate sizes and certificate verification time? Or the hash-based signature scheme(s) that require you to don a hazmat suit every time a signature is generated? > -----Original Message----- > From: Watson Ladd <[email protected]> > Sent: Thursday, April 16, 2026 8:32 PM > To: Mike Ounsworth <[email protected]> > Cc: John Mattsson <[email protected]>; TLS List > <[email protected]> > Subject: [TLS] Re: Composite ML-DSA > > Mike, > > Those devices should use a signature scheme that's as secure as hashing. > Thankfully there is one. So why do we need composites? > > Sincerely, > Watson > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
