On 23/02/2026 15:21, Kurt Roeckx wrote:
Getting endpoints to support (and prefer) hybrid key exchange is a big win for practical security and there's no reason not to do it as soon as possible.2. Bit harder: do we discourage ("D") or stay neutral ("N") on quantum vulnerable algorithms? Recall that "N" is defined asDo you expect implementations to actually follow this soon? That is, remove it from their default? At least D implies to me that it should be disabled by default. And I don't think we're ready for that.
Getting endpoints to remove their non-PQ support barely moves the needle for security and will take a very long time.
Tying the two together in one draft might give non-experts the incorrect idea that they do need to do both with equal urgency.
I'd actually prefer to keep this simple for now: just mark the algorithms in draft-ietf-ecdhe-mlkem Y and leave the other questions for later.
I agree with Ekr.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
