On Thu, Apr 23, 2026 at 06:00:40AM +0300, Nicola Tuveri wrote:
> More PQC signature algorithms with better trade offs will eventually go
> through NIST, and we could reuse the same composite construction easily and
> quickly if a CRQC has not appeared before that.
>
> Even if it did appear, costs might still be a relevant factor, so the ECC
> part of the composite might not become meaningless immediately.
It is not easier to switch from a composite to another algorithm, than
it to switch from standalone ML-DSA to another algorithm, after all,
we've made sure that at all layers above the underlying crypto provider
these all look the same.
I continue to see no present value in composite signature in TLS, see
its potential introduction as a balkanisation opportunity and a
disservice to the ecosystem. Composite signatures in TLS might perhaps
end up supported in some future OpenSSL release despite my reservations,
but not with my coöperation or enthusiasm to make it so.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
