I object to the publication of this document.

Given the question

> Should the working group publish a document specifying stand alone ML-KEM?

my answer is no, and this extends to all current KEMs/NIKEs.
ML-KEM seems sound enough to heuristically get us through a first few years of 
transition while X25519 prevents attacks in the short term (with active attacks 
on today's connection becoming mostly irrelevant by the time a CRQC exists, and 
passive HNDL attacks becoming less relavant for many pieces of information).
By that time, I also expect many improvements in safety, security and 
efficiency to be ripe for inclusion in TLS, which would make ML-KEM obsolete 
from any purely technical standpoint.

I have been debating whether ISE publication would be a good way forward, since 
it at least includes a disclaimer regarding a lack of consensus, but ultimately 
think that some other publication venue (e.g. link to it on archive.org, or 
make up a dedicated consortium curating it) would serve the need for a stable 
reference without any implied IETF recommendation better.
The code points themselves are assigned and cannot be reused for the forseeable 
future.

Best,

-- TBB

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to