Alicja Kario <[email protected]> writes: > If that classical part was good enough to be MTI and stay as > Recommended now, it should be good enough to be part of the hybrids > too.
I disagree with that, if you imply that the P256 hybrid should be MTI. So if old DSA was still MTI we have to make DSA + ML-DSA MTI too? I think we should make decisions about P256+MLDSA based on today's knowledge about P256 and MLDSA (and the combiner) rather than having necessarily make decisions that use earlier decisions on P256 as a least common denominator (i.e., MTI). The decision about MTI P256 and MTI P256+MLDSA are really two orthogonal decisions, made at different times, in different contexts. /Simon
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
