On Mon, Oct 20, 2025 at 9:04 AM Simon Josefsson <simon= [email protected]> wrote:
> Alicja Kario <[email protected]> writes: > > > If that classical part was good enough to be MTI and stay as > > Recommended now, it should be good enough to be part of the hybrids > > too. > > I disagree with that, if you imply that the P256 hybrid should be MTI. > I don't think anyone is proposing making P256-MLKEM MTI. The question, rather, is whether it should be Recommended=Y, for which the standard is "fit for purpose". I think the fact that pure P-256 is both Recommended=Y and MTI does bear on that question. -Ekr > > So if old DSA was still MTI we have to make DSA + ML-DSA MTI too? > > I think we should make decisions about P256+MLDSA based on today's > knowledge about P256 and MLDSA (and the combiner) rather than having > necessarily make decisions that use earlier decisions on P256 as a least > common denominator (i.e., MTI). > > The decision about MTI P256 and MTI P256+MLDSA are really two orthogonal > decisions, made at different times, in different contexts. > > /Simon > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
