Hello Rich, Thank you for the pushback. I agree with your point.
That sentence was intended only to say that deployment policy is separate from the wire-protocol definition, but as written it does not add much beyond the general fact that local policy can restrict any signature algorithm. I do not think that point needs to be added to this draft. The concrete change I still think is worth considering is the narrower implementer-facing guidance on deterministic versus hedged ML-DSA signing. That guidance seems TLS-relevant because the signer behavior is not visible on the wire, and implementers may otherwise treat the choice as a library default without noticing the operational/security trade-off for long-lived authentication keys. So I would withdraw the local-policy sentence and keep the suggested Security Considerations addition limited to signing-mode guidance, if the WG thinks such guidance belongs in the document. Best regards, Songbo Bu On Wed, 20 May 2026 21:29:21 +0000, “Salz, Rich” [email protected] wrote: - I would also suggest one sentence noting that local policy may restrict the use of standalone ML-DSA authentication in deployments that require hybrid authentication during the transition period. How is that any different than saying local policy may want P256 signatures, etc? And why is it necdessary?
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
