On Monday, 20 October 2025 17:57:33 CEST, Simon Josefsson wrote:
Alicja Kario <[email protected]> writes:
If that classical part was good enough to be MTI and stay as
Recommended now, it should be good enough to be part of the hybrids
too.
I disagree with that, if you imply that the P256 hybrid should be MTI.
So if old DSA was still MTI we have to make DSA + ML-DSA MTI too?
We're not discussing if any of the hybrids should be mandatory to
implement.
And what is the purpose of discussing alternative timelines where DSA is
dominant?
I think we should make decisions about P256+MLDSA based on today's
knowledge about P256 and MLDSA (and the combiner) rather than having
necessarily make decisions that use earlier decisions on P256 as a least
common denominator (i.e., MTI).
And what did fundamentally change since the P-256 was marked as MTI and
both it and secp384r1 curve were marked as Recommended?
--
Regards,
Alicja Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
