On Thu, Jun 11, 2026 at 11:45:08AM -0400, David Benjamin wrote: > > Implementations should not rely on the protcool layer for security. > > And protocol layer should not rely on implementation internals. > > I agree with this. Just as we don't rely on the protocol layer to secure > the implementation of the underlying algorithm, we also don't need to rely > on the protocol layer to specify the underlying algorithm.
The second part is not about "need", but about what REALLY SHOULD NOT be done. Placing requirements on implementations beyond the underlying specifications is a Really Bad Idea. That one would "need" to do so is a Major Red Flag (either that the protocol or the algorithm is bad). And in the first part, there is difference between implementation relying on protocol (which is bad, and the implementation should be fixed) and underlying specification relying on the protocol, which is another Major Red Flag. > Practically speaking, the TLS layer does not implement ML-DSA directly. It > calls into the ML-DSA implementation. If the ML-DSA spec failed to capture > this, by the time the TLS implementor goes to look at the TLS spec, we're a > few layers past ML-DSA. Decisions about hedged vs deterministic have > probably already been made. > > Happily, FIPS 204 talks about this *already* in section 3.4: Yes, However, at least three people were still confused, thinking that deterministic vs. hedged somehow matters for TLS. Which would be really bad if true. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
