As I mentioned in my blog post [1], MTI is a joke, invented to create more discussion in IETF mailing lists. There is no RFC police, and nobody can force anyone to implement an algorithm (other than, as David Benjamin noted, the null algorithm as that is the state of the uninitialized TLS stack). The flag you are looking for is the IANA recommended flag. And hybrids are recommended, pure ML-KEM is not.
In general, the question here is not whether or not hybrid key exchange algorithms should be used or even should be used as default, it is whether anybody is allowed to not use a hybrid in a standardized fashion, if both sides of the connection agree to do so. (Insert meme: I consent/I consent/I don't). Hybrid key exchanges are recommended by the IETF, all browsers are implementing them by default, all server stacks that I'm aware of implement them by default. Meanwhile pure ML-KEM is afaik only implemented behind flags, in any browser or server stack I know of. Objecting this draft on the basis that hybrid is more secure and should be the default choice shows lack of understanding of the situation, likely caused by certain technically correct, but highly misleading statements one might have encountered on social media. [1] https://keymaterial.net/2025/11/27/ml-kem-mythbusting/ On Wed, Jul 1, 2026 at 2:22 PM Justin Schnurbusch <schnurbusch.justin= [email protected]> wrote: > Yes, you got that correct. > > The thing is that it seems to me (absolutely subjective) that there needs > to be a definitely secure baseline due to the nature of humans. > > Especially due to the fact that the hybrid implementations are slightly > less performant - some might take this as an argument to say "We don't do > hybrid here, look at the performance!" We all around this list know that > these performance differences are absolutely negligible - but that may be > not case everywhere. > > And, regarding the fact that the intended status of this draft is > informational, in combination with a MTI hybrid and a currently secure > baseline, I would support the publication of this draft. > > Kind regards > Justin > > > Am 30. Juni 2026 19:53:48 MESZ schrieb Eric Rescorla <[email protected]>: > >> >> >> On Tue, Jun 30, 2026 at 10:49 AM Justin Schnurbusch <schnurbusch.justin= >> [email protected]> wrote: >> >>> I do not support the publication of this document as it seems to me that >>> the implementations "in the field" need a currently secure baseline as a >>> mandatory border. >>> >>> A more baseline-mandatory approach with an optional component seems more >>> reasonable to me. >>> >> >> I'd like to make sure I understand your position: Are you saying that if >> some hybrid (e.g., X25519-MLKEM) were MTI, you would support this draft? >> >> -Ekr >> >> _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
