Hi Eric, I guess, Jan meant the following:
"I think we should have learned from history of TLS and other protocols that having multiple (**weak and strong**) algorithms is a security problem." Am Dienstag, dem 07.07.2026 um 11:22 -0700 schrieb Eric Rescorla > I don't think we've learned that. Quite the contrary, the ability to > have > multiple algorithms is what is allowing a smooth transition to > hybrids. Just as a reminder: After the BEAST attack against AES-CBC in 2011, the German BSI recommended RC4 as alternative [1]. Already in 2000, OpenSSH removed RC4 [2] (while actually discarding the first generated keys to cope with the missing entropy) [3]. Thus, wrong decisions regarding insufficient crypto algs may impact future use as well. This seems to hold also for ML-KEM and X25519MLKEM768. Regards. --eh. [1] https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/Webs/ACS/DE/BSI-CS/BSI-CS_012.pdf?__blob=publicationFile&v=1 (German only) [2] https://www.openssh.org/security.html [3] https://datatracker.ietf.org/doc/html/rfc4345 -- Dr. Erwin Hoffmann | www.fehcom.de PGP key-id: 36553F7F9C58D1CC PGP key-fingerprint: 950B 5555 0B08 5A2A 1C00 9594 3655 3F7F 9C58 D1CC
signature.asc
Description: This is a digitally signed message part
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
