On Thu, May 21, 2026 at 9:43 AM Ilari Liusvaara <[email protected]> wrote:
> On Thu, May 21, 2026 at 03:20:32PM +0800, Blue Dog wrote: > > > > The concrete change I still think is worth considering is the narrower > > implementer-facing guidance on deterministic versus hedged ML-DSA > signing. > > That guidance seems TLS-relevant because the signer behavior is not > visible > > on the wire, and implementers may otherwise treat the choice as a library > > default without noticing the operational/security trade-off for > long-lived > > authentication keys. > > For TLS, deterministic versus hedged ML-DSA does not matter[1]. However, > given that at least three people have commented about this, I think that > maybe the specification should mention something about it. > This is a good suggestion. Thanks Ilari. https://github.com/tlswg/tls-mldsa/pull/36 > > > [1] The randomizer only appears together with the message hash, so it > only affects things if the same message is signed twice, which TLS > never does (as the input includes things like client and server > randoms). > > > > > -Ilari > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
