Hiya,

On 07/07/2026 19:49, Sophie Schmieg wrote:
  I think it is important to emphasize that, even if
one assumes a total compromise of pure ML-KEM there exists no risk to the
public internet from this draft.

I find the above unconvincing. The dual-ec fiasco also involved
paying commercial entities to implement the borked alg as well
as the odd code additions in the Juniper case. Were there a
backdoor in ML-KEM (which I do not think is the case) then it
could be exploited, and the existence of this putative RFC would
increase the liklihood of successful exploitation.

Cheers,
S.

PS: To recap, I no longer object to this draft now the WG has
preferred the hybrid, but I think better to be precise about
the pros and cons.

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to