Uri, I think you missed my point.
The statement made was 1. hybrid is LESS secure (so pure ML-KEM should be used) 2. he doesn’t support publishing pure ML-KEM (so hybrid should be used). I was just a bit confused about how these two statements are to be reconciled. Y(J)S From: Blumenthal, Uri - 0553 - MITLL <[email protected]> Sent: Monday, June 29, 2026 6:52 PM To: Yaakov Stein <[email protected]>; [email protected] Subject: Re: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08) >> * For the time being, hybrid cryptography appears clearly less secure than >> solo post-quantum cryptography >> I do not support the publication of this document. > > Less secure but should be used ? Hybrid will always be less secure, if (a) you agree that CRQC is coming, and (b) your data will remain sensitive through that time. Therefore, IMHO it should not be used — but unlike some others on this list, I want those who have reasons to use Hybrid, to be able to do so, without having to convince me that they truly really want/need it. This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
