On Tue, Oct 14, 2025 at 01:44:22PM -0700, Eric Rescorla wrote: > On Tue, Oct 14, 2025 at 1:30 PM Nico Williams <[email protected]> wrote: > > I should add that if the necessary codepoint registrations are > > Specification Required (as they are here), > > Indeed the code points have already been assigned for MLKEM.
Right. > > then a policy of non- > > publication of PQ-only suites would have no real effect unless the > > registration policy is changed to be IESG Protocol Action. > > This change seems like it would be very unlikely, given that we > changed to the current policy precisely to address this this > kind of debate (which has obviously not succeeded completely). Nonetheless the industry has been burned by Dual_Ec, as you know, and this looks like it could possibly be repeat. Given that we can't really forbid pure-PQ, it should at least come with warnings to use it mainly where performance is essential and mainly only in, e.g., corporate networks. Thus perhaps we should indeed publish pure-PQ as Experimental and with caveats. Granted, people see "RFC" and think "standard", and don't look inside, but since it will ship, we might as well have an Experimental RFC. [0] And the extended random that enabled Dual_Ec's use as a backdoor. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
