Hybrid and Pure have different risk profiles and trade-offs. It makes sense to 
let the user pick what suits best. That has been the traditional approach at 
IETF (being around for 20+ years, you should know), until some individual(s) 
with “holier than thou” attitude started insisting on “only my way is good 
enough - forbid everything else”.

Thus, while I agree that the two original statements can sound confusing - they 
do make sense (to me, at least).
—
Regards,
Uri

Secure Resilient Systems and Technologies
MIT Lincoln Laboratory

> On Jun 30, 2026, at 05:09, Yaakov Stein <[email protected]> wrote:
> 
> 
> This Message Is From an External Sender
> This message came from outside the Laboratory.
> Uri,
>  
> I think you missed my point.
>  
> The statement made was
> hybrid is LESS secure (so pure ML-KEM should be used)
> he doesn’t support publishing pure ML-KEM (so hybrid should be used).
>  
> I was just a bit confused about how these two statements are to be reconciled.
>  
> Y(J)S
>  
> From: Blumenthal, Uri - 0553 - MITLL <[email protected]>
> Sent: Monday, June 29, 2026 6:52 PM
> To: Yaakov Stein <[email protected]>; [email protected]
> Subject: Re: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
>  
> >> * For the time being, hybrid cryptography appears clearly less secure than 
> >> solo post-quantum cryptography
> >>  I do not support the publication of this document.
>  >
> > Less secure but should be used ?
>  
> Hybrid will always be less secure, if (a) you agree that CRQC is coming, and 
> (b) your data will remain sensitive through that time.
>  
> Therefore, IMHO it should not be used — but unlike some others on this list, 
> I want those who have reasons to use Hybrid, to be able to do so, without 
> having to convince me that they truly really want/need it.
> This message is intended only for the designated recipient(s). It may contain 
> confidential or proprietary information. If you are not the designated 
> recipient, you may not review, copy or distribute this message. If you have 
> mistakenly received this message, please notify the sender by a reply e-mail 
> and delete this message. Thank you.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to