On Thu, May 21, 2026 at 03:20:32PM +0800, Blue Dog wrote: > > The concrete change I still think is worth considering is the narrower > implementer-facing guidance on deterministic versus hedged ML-DSA signing. > That guidance seems TLS-relevant because the signer behavior is not visible > on the wire, and implementers may otherwise treat the choice as a library > default without noticing the operational/security trade-off for long-lived > authentication keys.
For TLS, deterministic versus hedged ML-DSA does not matter[1]. However, given that at least three people have commented about this, I think that maybe the specification should mention something about it. [1] The randomizer only appears together with the message hash, so it only affects things if the same message is signed twice, which TLS never does (as the input includes things like client and server randoms). -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
