On 30.06.2026, at 04:10:41, [email protected] wrote: > > I’m opposed to the publication of this document. We can’t trust ML-KEM to > stand on its own against classical attacks yet. The hybrid approach is more > secure and worth the 3% cost during key exchange. > > After Q-Day, hybrids are still more secure for a while. Because if an actor > breaks the post quantum part, he may not have access to the quantum hardware > that breaks the classical part yet. We should drop ECDHE only when quantum > computers are ubiquitous. > > Michael Gouin
Exactly my thoughts. And even though Kevin Milner clarified: > "those supporting the draft are not ‘for solo ML-KEM.’ The draft is to > specify the method to do solo ML-KEM, in contrast to having unstandardised > third-party implementations. > A vote ‘for solo ML-KEM’ would be with respect to the IANA registry, not with > respect to a specification for how to do it.” I’m afraid that people would mis-judge the publication as being “good enough” to be used. So I do not support the publication. Marc Stibane _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
