On Thu, Apr 23, 2026 at 03:53:16PM +0200, Simon Josefsson wrote:
> So why do the document needs to be published through the TLS WG?
>
> I believe it would be better to spend WG cycles on solutions based on
> careful risk assessment -- which I believe is in favor of hybrids both
> for KEM's and more strongly for signatures -- rather than spend endless
> cycles pushing vanity registrations for commercial/political reasons.
Well, because, for reasons that for me are neither commercial, nor
political, my view is that just ML-DSA is by far the more sensible
signature choice to standardise first than any of the plethora of
hybrids.
It is I think prudent to avoid disparaging the motives of those who
happen to disagree with your assessment of the pros/cons. You are
of course free to disagree with my or anyone else's take. I might
not agree with your judgement, but I will not question your motives.
In particular, I strongly support a preference for hybrid KEMs (but not
exclusivity wrt. standardisation), but not at all for signatures, so
the "more strongly" is not a position I share with you.
As to the endless cycles, ... my view is that those wasted cycles are
mostly a result of stubborn opposition to what are technically sound
specifications of how the algorithms (already implemented and in use)
integrate into TLS. I support carefully crafted security considerations
that spell out the risks to be considered, but not what I see as futile
blocking tactics.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
