I oppose publishing draft-ietf-tls-mlkem. I believe that hybrid is a more conservative and prudent approach to security than standalone ML-KEM is, and that the use of hybrid helps provide protection against flaws in ML-KEM, whether those are due to implementation errors, future cryptanalysis, or some other source. I believe that it's appropriate for the TLS WG to favor approaches that it believes to be appropriately secure, and not to endorse approaches that are less secure than approaches it's already endorsed. As the custodian of the concept of "doing TLS security well", the WG should be making choices of this sort.
I also think that the material impact of this draft not being published by TLS is minimal but net positive. As many have noted, this draft can be published via the ISE as well; implementers who want to implement standalone ML-KEM in TLS will be able to do it interoperably; that will happen whether or not the TLS WG publishes this draft. The effect of TLS not publishing this draft will simply be that, at the margin, there will be some number of implementers who choose hybrid rather than standalone. This will be a small but real benefit to security of TLS-using systems. Cheers, William
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
