>Can the authors -- or anyone actually -- provide a >specific example of where >they WANT to use SLH->DSA? Not COULD as the draft currently says.
I would like to support it in all our TLS implementations as a backup algorithm to the lattice-based ML-DSA. SLH-DSA has a completely different construction (hash-based) which makes it a good backup algorithm. FN-DSA is not a good backup algorithm and multivariate signatures are too far into the future. I would like to use it in countries where standalone ML-DSA is not allowed, and in the case ML-DSA has vulnerabilities (implementation problems much more likely than practical theoretical attacks). People say that SLH-DSA is not a good fit for TLS, but I think they mean HTTPS. If you use TLS for infrastructure instead of IPsec and transfer high-volumes of data over a long-lived connection, a few kB in the handshake are quite irrelevant. John Sent from Commodore VIC-20 ________________________________ From: Eric Rescorla <e...@rtfm.com> Sent: Friday, May 16, 2025 5:23:37 PM To: Salz, Rich <rs...@akamai.com> Cc: Kampanakis, Panos <kpanos=40amazon....@dmarc.ietf.org>; TLS List <tls@ietf.org> Subject: [TLS] Re: WG Adoption Call for Use of SLH-DSA in TLS 1.3 On Fri, May 16, 2025 at 8:19 AM Salz, Rich <rs...@akamai.com<mailto:rs...@akamai.com>> wrote: I am not thrilled about adoption, for the reasons that EKR and Panos said. Further, I am concerned about us going back to the old days of “register every algorithm” which took years to evolve away from. We can assign code points based on drafts and let the world experiment. Can the authors -- or anyone actually -- provide a specific example of where they WANT to use SLH-DSA? Not COULD as the draft currently says. This would be helpful to me as well. -Ekr
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
