Hi Scott,

On 7/2/26 2:49 PM, Scott Fluhrer (sfluhrer) wrote:
I feel I need to ask this (both to you and to others who have suggested that ML-KEM cannot be trusted): do you support the publication of draft- ietf-tls-ecdhe-mlkem?

Surely if anyone knew for sure ML-KEM was broken they'd bring that up, but "cannot be trusted" is a different thing. Obviously we've seen tons of standardized crypto over the decades that everyone thought was secure and then it turned out was broken. So let me turn it around and ask you a question, are you absolutely 100% sure without any doubt whatsoever that both ML-KEM and these specs are completely secure forever? If not (and I'm not sure how anyone could be) it's only sensible to hedge against this, which is why only hybrid should exist and this draft-ietf-tls-mlkem should not be published.

Thanks,
Travis

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to