Hi Eric,

I guess, Jan meant the following:

"I think we should have learned from history of TLS and other protocols
that having multiple (**weak and strong**) algorithms is a security
problem."

Am Dienstag, dem 07.07.2026 um 11:22 -0700 schrieb Eric Rescorla

> I don't think we've learned that. Quite the contrary, the ability to
> have
> multiple algorithms is what is allowing a smooth transition to
> hybrids.

Just as a reminder: After the BEAST attack against AES-CBC in 2011, the
German BSI recommended RC4 as alternative [1].

Already in 2000, OpenSSH removed RC4 [2] (while actually discarding the
first generated keys to cope with the missing entropy) [3].

Thus, wrong decisions regarding insufficient crypto algs may impact
future use as well. 

This seems to hold also for ML-KEM and X25519MLKEM768.

Regards.
--eh. 

[1]
https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/Webs/ACS/DE/BSI-CS/BSI-CS_012.pdf?__blob=publicationFile&v=1
(German only)
[2] https://www.openssh.org/security.html 
[3] https://datatracker.ietf.org/doc/html/rfc4345


 

-- 
Dr. Erwin Hoffmann | www.fehcom.de
PGP key-id: 36553F7F9C58D1CC
PGP key-fingerprint:  950B 5555 0B08 5A2A 1C00 9594 3655 3F7F 9C58 D1CC

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to