John Mattsson <[email protected]> writes:

> Hi,
>
> Eric Rescorla wrote:
>>1. Form a WG opinion on whether we need to do simultaneous PQ + T at all.
>
> I think this is the wrong question. PQ + T is not a requirement or a
> use case. The right questions is:
>
> 1a. Form a WG opinion on whether we need something more conservative
> than standalone ML-DSA.

+1

> If the answer is yes, I think draft-reddy-tls-slhdsa is vastly
> superior to the other suggestions, while
> draft-reddy-tls-composite-mldsa is vastly inferior.
> https://www.ietf.org/archive/id/draft-reddy-tls-slhdsa-02.html

+1

I'd like to see hybrid signature support in TLS too somehow, but I think
your re-framing the question makes it easier to agree that SLH-DSA
support is at least as important.  Given the complexity of hybrid
signature progress, that could be a pragmatic way forward to mitigate
the concerns with pure ML-DSA.

/Simon

Attachment: signature.asc
Description: PGP signature

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to