Nadim Kobeissi <[email protected]> wrote:

> Sophie, your own coworker at Google, David Adrian (a product manager on Google
> Chrome) has *repeatedly* expressed on this list that Google Chrome, the 
> world’s
> most popular browser, has (presumably with his encouragement) already
> implemented draft-ietf-tls-mlkem, without even waiting for the results of this
> consensus call.

Implementing it is not the same as enabling it by
default.

Several of Google's servers also support MLKEM1024,
but do not prefer it if the client offers
X25519MLKEM768.

I don't work for Google, but reading the tea leaves
strewn across the internet, I would hazard the guess
that Google puts in place the bits that allow, e.g.,
an organization administrator to _enable and prefer_
pure MLKEM much as they have signaled that they will
allow pure ML-DSA certs for private PKIs while
pursuing MTCs for the web-PKI.

That is, an organization administrator might decide to
set this for all clients under their control and then
know that for the services they control (as well as
certain services Google offers) pure MLKEM will be
used.

This is in line with Sophie's argument: there is no
chance of a pure MLKEM being negotiated
_accidentally_.

(For which of their customers they are putting this in
place is a different bet you can place.)

-Jan

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to