>and only after a number of revisions and real efforts including, what some may >consider personal and professional risk, mainly from research driven proof >from philanthropic members of this list and dissemination and egress of >discussions happening, outward!
As someone who has argued for years that X25519MLKEM768 should not only be RECOMMENDED=Y but also MTI (which I still think) https://mailarchive.ietf.org/arch/msg/tls/tx0fEKDEWDYuLJlmQC8elAjW5YM/ I find it difficult to understand why anyone would perceive personal or professional risk in advocating that X25519MLKEM768 be designated RECOMMENDED=Y. That TLS WG should standardize PQ/T key exchange and assign it RECOMMENDED=Y status has in my view not been controversial. The only real discussion has been about which hybrid constructions TLS should standardize and recommend. The only really nasty thing happening that I can think of is Bernstein writing blogs accusing everyone not agreeing with him of being stupid, not being able to count, being corrupt, and being NSA collaborators. I know several young researchers who do not want to engage in public cryptographic mailing lists due to fear of Bernstein. >should still be refactored to include research, safety and efficiency. TLS already have a huge amount of researchers from academia, industry, and government. If you mean protocol efficiency, TLS WG has arguable been thinking too much on efficiency with early data, psk_ke, psk identifiers sent in cleartext, key share reuse, rekeying without PCS, RPKs without context, etc. If you mean process efficiency, I am not sure more academia is the solution… Cheers, John Preuß Mattsson From: Andrew Lee <[email protected]> Date: Sunday, 7 June 2026 at 00:47 To: Salz, Rich <[email protected]> Cc: Nadim Kobeissi <[email protected]>; [email protected] <[email protected]> Subject: [TLS] Re: FATT Chance: On the Robustness of Standalone and Hybrid ML-KEM Key Exchange in TLS 1.3 On Sat, Jun 6, 2026 at 3:16 PM Salz, Rich <[email protected]<mailto:[email protected]>> wrote: On 6/6/26, 5:57 AM, "Nadim Kobeissi" <[email protected]> wrote: * Yes, exactly. I believe that Andrew is referring to the fact that hybrids aren't RECOMMENDED=Y which is silly, and the impetus behind Bas’s recent effort: https://datatracker.ietf.org/doc/draft-westerbaan-tls-keyshare-recommendations/ Andrew should speak for himself, but when I read his message (and when Dierdre read it, and EKR read it), it seemed like he was making the point that a bunch of non-IETF folks swarmed the group and “saved” something by causing ML-KEM to not be RECOMMENDED. This is just wrong. If Andrew meant something else, I hope he will clarify. I was referring to the fact that hybrids were not RECOMMENDED=Y until much later and only after a number of revisions and real efforts including, what some may consider personal and professional risk, mainly from research driven proof from philanthropic members of this list and dissemination and egress of discussions happening, outward! I really appreciate Dr. Bernstein, Dr. Kobeissi, Mr. Sardar, Mr. Westerbaan, Mr. Salz and everyone else who helped get this right. And separately, you're right; the process is working, but it should still be refactored to include research, safety and efficiency.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
