On Wed, Jul 1, 2026 at 2:59 PM Andrew Lee <[email protected]> wrote:

> On Jul 1, 2026, at 2:22 PM, Kevin Milner <[email protected]> wrote:
>
> several very widely deployed libraries and applications are already
> implementing pure ML-KEM (I believe several have been cited previously in
> the discussion of this draft, by both sides), and I suspect more will over
> time.
>
> Do you happen to have a few examples or a link to this so-called wall of
> shame?
>

I'm afraid you will have pretty much all mainstream TLS libraries on your
"wall of shame".

As far as I can tell, at least the following libraries implement pure
ML-KEM support in TLS according to this specification:
- OpenSSL (ML-KEM-512/768/1024)
- BoringSSL (ML-KEM-1024)
- AWS-LC (ML-KEM-512/768/1024)
- Rustls (ML-KEM-768/1024)
- s2n-tls (ML-KEM-1024)
- Bouncy Castle (ML-KEM-512/768/1024)
- Botan (ML-KEM-512/768/1024)
- GnuTLS (ML-KEM-768/1024)
- WolfSSL (ML-KEM-512/768/1024)

I believe that, with the exception of WolfSSL all these libraries do not
require compile-time feature flags to enable pure ML-KEM support. Worth
noting that as far as I can tell none of these libraries enable pure ML-KEM
in the default TLS configuration, they require users to make an explicit
choice to enable it.

Hope this helps.

-yaroslav

-- 


This communication (including any attachments) is intended for the sole 
use of the intended recipient and may contain confidential, non-public, 
and/or privileged material. Use, distribution, or reproduction of this 
communication by unintended recipients is not authorized. If you received 
this communication in error, please immediately notify the sender and then 
delete all copies of this communication from your system.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to