I oppose publishing draft-ietf-tls-mlkem.

I believe that hybrid is a more conservative and prudent approach to security 
than standalone ML-KEM is, and that the use of hybrid helps provide protection 
against flaws in ML-KEM, whether those are due to implementation errors, future 
cryptanalysis, or some other source. I believe that it's appropriate for the 
TLS WG to favor approaches that it believes to be appropriately secure, and not 
to endorse approaches that are less secure than approaches it's already 
endorsed. As the custodian of the concept of "doing TLS security well", the WG 
should be making choices of this sort.

I also think that the material impact of this draft not being published by TLS 
is minimal but net positive. As many have noted, this draft can be published 
via the ISE as well; implementers who want to implement standalone ML-KEM in 
TLS will be able to do it interoperably; that will happen whether or not the 
TLS WG publishes this draft. The effect of TLS not publishing this draft will 
simply be that, at the margin, there will be some number of implementers who 
choose hybrid rather than standalone. This will be a small but real benefit to 
security of TLS-using systems.

Cheers,

William

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to