I've read the document and support its publication.

The RECOMMENDED column is set to N and the status is Informational, so nothing here requires or prohibits pure ML-KEM. I see no reason to block deployment of ML-KEM-based PQ key exchange. The risks of pure ML-KEM can be mitigated by using a hybrid code point from draft-ietf-tls-ecdhe-mlkem, such as the now recommended X25519MLKEM768.

Kind regards,


--

Kris Kwiatkowski
Cryptography Developer
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to