> By contrast the PQ version "just" has key size issues to worry about > with the DNS advertising bits and maybe some structures that get > tight. >
I have the same intuition. Instead of guessing, we should plop Kyber in ECH and see if it works. If not then there are still other paths besides PSK — for instance using BAT [1]. Best, Bas [1] https://eprint.iacr.org/2022/031
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
