Bas Westerbaan writes: > Setting aside the question of use cases for a moment, let me note that no > one even bothered to ask IANA to assign codepoints for any hybrid not > already listed in this I-D.
It seems that practically all of the real-world PQ usage in TLS is specifically of the first option in the spec (X25519MLKEM768). See, e.g., https://www.netmeister.org/blog/pqc-use-2025-03.html. Removing the other options (SecP256r1MLKEM768 and SecP384r1MLKEM1024) from the spec would certainly resolve my concerns regarding the security risks of including those options in the spec. However, if those options remain, then they should be accompanied by X25519MLKEM1024 and X448MLKEM1024, so that implementors selecting ML-KEM-1024 aren't _forced_ by the spec into a poor curve choice. Adding these two options is a very easy change to the spec. > I see no reason to hold up this document now: > we can always publish a follow-up later on. "Kicking the can down the road, saying that these options can be added by another spec later, would not address this sub-concern. An implementor looking for the lowest-risk post-quantum option in _this_ spec is forced into a poor ECC choice; _this_ spec should fix that." ---D. J. Bernstein ===== NOTICES REGARDING IETF ===== It has come to my attention that IETF LLC believes that anyone filing a comment, objection, or appeal is engaging in a copyright giveaway by default, for example allowing IETF LLC to feed that material into AI systems for manipulation. Specifically, IETF LLC views any such material as a "Contribution", and believes that WG chairs, IESG, and other IETF LLC agents are free to modify the material "unless explicitly disallowed in the notices contained in a Contribution (in the form specified by the Legend Instructions)". I am hereby explicitly disallowing such modifications. Regarding "form", my understanding is that "Legend Instructions" currently refers to the portion of https://web.archive.org/web/20250306221446/https://trustee.ietf.org/wp-content/uploads/Corrected-TLP-5.0-legal-provsions.pdf saying that the situation that "the Contributor does not wish to allow modifications nor to allow publication as an RFC" must be expressed in the following form: "This document may not be modified, and derivative works of it may not be created, and it may not be published except as an Internet-Draft". That expression hereby applies to this message. I'm fine with redistribution of copies of this message. There are no confidentiality restrictions on this message. The issue here is with modifications, not with dissemination. For other people concerned about what IETF LLC is doing: Feel free to copy these notices into your own messages. If you're preparing text for an IETF standard, it's legitimate for IETF LLC to insist on being allowed to modify the text; but if you're just filing comments then there's no reason for this. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
