Hiya,
On 07/07/2026 19:49, Sophie Schmieg wrote:
I think it is important to emphasize that, even if one assumes a total compromise of pure ML-KEM there exists no risk to the public internet from this draft.
I find the above unconvincing. The dual-ec fiasco also involved paying commercial entities to implement the borked alg as well as the odd code additions in the Juniper case. Were there a backdoor in ML-KEM (which I do not think is the case) then it could be exploited, and the existence of this putative RFC would increase the liklihood of successful exploitation. Cheers, S. PS: To recap, I no longer object to this draft now the WG has preferred the hybrid, but I think better to be precise about the pros and cons.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
