I've read the document and support its publication.
The RECOMMENDED column is set to N and the status is Informational, so nothing
here requires or prohibits pure ML-KEM. I see no reason to block deployment of
ML-KEM-based PQ key exchange. The risks of pure ML-KEM can be mitigated by
using a hybrid code point from draft-ietf-tls-ecdhe-mlkem, such as the now
recommended X25519MLKEM768.
Kind regards,
--
Kris Kwiatkowski
Cryptography Developer
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]