John Mattsson <[email protected]> writes: > Hi, > > Eric Rescorla wrote: >>1. Form a WG opinion on whether we need to do simultaneous PQ + T at all. > > I think this is the wrong question. PQ + T is not a requirement or a > use case. The right questions is: > > 1a. Form a WG opinion on whether we need something more conservative > than standalone ML-DSA.
+1 > If the answer is yes, I think draft-reddy-tls-slhdsa is vastly > superior to the other suggestions, while > draft-reddy-tls-composite-mldsa is vastly inferior. > https://www.ietf.org/archive/id/draft-reddy-tls-slhdsa-02.html +1 I'd like to see hybrid signature support in TLS too somehow, but I think your re-framing the question makes it easier to agree that SLH-DSA support is at least as important. Given the complexity of hybrid signature progress, that could be a pragmatic way forward to mitigate the concerns with pure ML-DSA. /Simon
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
