The point of my blog post relevant to the discussion here is the section on hybrids and the IETF. You did indeed not argue that there might be a NOBUS backdoor in ML-KEM, but nor did anyone else on this mailing list imply that this was your point.
Rather: TLS 1.3 has solid downgrade protections. Having a cipher that you don't trust supported in the spec has absolutely zero consequences if you do not wish to support it. On Thu, Feb 19, 2026 at 1:37 PM Muhammad Usama Sardar < [email protected]> wrote: > On 19.02.26 20:03, Salz, Rich wrote: > > I honestly want to know your technical reasons, but patience is finite > > If someone's patience is short, please take the time to address my concern > which I hope is technical enough :) > > Is breaking formal analysis (as pointed in [0]) not a "technical reason" > for the WG? Please show me a proof that ML-KEM is more secure than hybrid. > > For RFC8773bis, when a constant "zero" was replaced by a secret (external > PSK), FATT was very worried about it and demanded me to do a formal proof. > > Now when a secret (EC)DHE is replaced by a completely new secret > "shared_secret" coming from fancy new crypto, FATT will not be worried > about it? How could it possibly be the case? I can't believe it. What am I > missing? For transparency, please share the FATT report with the WG. > > Also, kindly share the name of the FATT point person for this draft and > please give me permission to talk to him/her directly to avoid any > misunderstandings by relaying via list/chairs. > > -Usama > [0] https://mailarchive.ietf.org/arch/msg/tls/M-dTIUXdG_x7OtweBcOCp0bFcZQ/ > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
