I object to the publication of this document. Given the question
> Should the working group publish a document specifying stand alone ML-KEM? my answer is no, and this extends to all current KEMs/NIKEs. ML-KEM seems sound enough to heuristically get us through a first few years of transition while X25519 prevents attacks in the short term (with active attacks on today's connection becoming mostly irrelevant by the time a CRQC exists, and passive HNDL attacks becoming less relavant for many pieces of information). By that time, I also expect many improvements in safety, security and efficiency to be ripe for inclusion in TLS, which would make ML-KEM obsolete from any purely technical standpoint. I have been debating whether ISE publication would be a good way forward, since it at least includes a disclaimer regarding a lack of consensus, but ultimately think that some other publication venue (e.g. link to it on archive.org, or make up a dedicated consortium curating it) would serve the need for a stable reference without any implied IETF recommendation better. The code points themselves are assigned and cannot be reused for the forseeable future. Best, -- TBB
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
