[TLS] Re: [EXT] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
Jacob Appelbaum <jacob@appelbaum.net> Thu, 23 April 2026 11:48 UTC
Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8FEEEE19CA9B for <tls@mail2.ietf.org>; Thu, 23 Apr 2026 04:48:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776944889; bh=KmZI/md2ajuof7wGK014xhBZlPeSJj9pR3iS1z5Ut0A=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=rfY0SHc/7hhDz2c2SPFxZiCqa7IjzyjIH2dnsrmukaLAOSCQxEbgvSASmWbtsyite aXglPCV8bZX++V0jww/pE/xGYkcNPsgSxf/mEvoiX5gUewYwCOBfdaIaBUQXrNZWBr 37kSnkliHkzmMlnHUjdhh1Rf+iiJqC1xPLxqnSgc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.797
X-Spam-Level:
X-Spam-Status: No, score=-1.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LONGWORDS=1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=appelbaum.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OT1KRG2Xt1Ca for <tls@mail2.ietf.org>; Thu, 23 Apr 2026 04:48:08 -0700 (PDT)
Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 02ADEE19CA98 for <tls@ietf.org>; Thu, 23 Apr 2026 04:48:07 -0700 (PDT)
Received: by mail.gandi.net (Postfix) with ESMTPSA id DB6BC3EC06; Thu, 23 Apr 2026 11:48:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=appelbaum.net; s=gm1; t=1776944886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=vicZJKDvlTQgjzzfZ6f7a/tuMWG7mAJDlfxsf8uK4HM=; b=OzY/gXh5SbiR9QyRSCJXUu0LpwstcSKQ7Pg9lOWG81gXNcqSwA7n0t6Gs1/gHPqIapELkA XPJ2fD2vMmXilEMKvvGMZKd4/anSSHfoQ61ov1IxrdxNsWLi6WDqyWZQA3vB6u3xT48xyS v2uxk81cjI/Vs2WACeaQALwbDgdYcxZXzDBe1URVNTCuW5tHE0vF8GHdIR9Pm+MMHo8MN/ F64fEh5W69MYreFdZBwbKxZ6hl+E80vVop2Bktll+mR6bkelCIyDDi7hmKNuhNHEf9wUKm SPsb2nYYy3VV2Qc+5sE3ejT5DkzQ46xdOxqYcPzRnTajA5dSbWMdGxXh0FJHqg==
Message-ID: <1f82b04b-6151-49e8-93fb-17d14ee796da@appelbaum.net>
Date: Thu, 23 Apr 2026 13:48:00 +0200
MIME-Version: 1.0
To: Daniel Apon <dapon.crypto@gmail.com>
References: <CANm5x_OdZ5U0G+ctATQxPWRGMZxEVrC_1oi4vdeT4mAEZwXHrQ@mail.gmail.com> <B1335D87-5055-4F4C-9F02-9C4A0D3BE890@ll.mit.edu> <584929a9-17b5-40f4-a98d-a58c32c90774@appelbaum.net> <CAPxHsS+hbRr5ouO9p=_KowV19Q3uyEh2AtDe=C5kUd+bm4j9RA@mail.gmail.com>
Content-Language: en-US
From: Jacob Appelbaum <jacob@appelbaum.net>
Autocrypt: addr=jacob@appelbaum.net; keydata= xsFNBFXlpJ8BEACnFzfarolZLsaP8GCk/ytNIUk6+GstAAVqQdHprkx3TfZl5/tUQC7a9oz/ +QD93U2Zq0RVj6/fAiZeV8X0TadVDcYo2KNk693EC1qwJwGMOMiYKEqAS1PuNSzQqvtyqlm9 0TrGL2qVKqIGHP1CXdV5QAlqqvpG5AVaH49H+cLmzkGdnz8Dp89zcmQ43EPvBxnHSq2P3D8+ aMgICQmzjxnqzX4X1w45EqNIv3STmTDS5HxhISu8KpRuWXvAm1XItCQGzJAq/ybEW60NpH4q yZsPQ74w6K3kECwEwUrO3yCScKuWFFs2qIdvditoWRIZQSErZi0VhMMoxx1n0y6dYffNvds7 c7j5n23KZ++8pZjqdql/cFez7o7RBn+tiTO5jJCFkhgDK51jQxec0d0qjeQvxCaafsM0q8qJ n8icW16yzOg5Ace6Hg+l+0DicqiwYYW1807xd+BGT4YqagdbtiB7UPcfEzAo84QlqYjqcKqT 3tKFf6SuetGffEW9f3XP9y19IqpNNRJDdWDrz44GeH86j/XE01buJE4evjvFaoUAGUYoB3Ul ZjtKj9bm1NpeKBmkgD1pqR4cWFf9tRJf31ztgd6PZBzuZ2fJkXShbz0wIVL+wDAX4X/fyUib OO1tgf9c+BYhRn8LTA9JtfAdm1YnscSK8pjLiD4u/Hbqk0H0WwARAQABzSVKYWNvYiBBcHBl bGJhdW0gPGphY29iQGFwcGVsYmF1bS5uZXQ+wsGIBBMBCgAyFiEE4R/M4wW5yEZ5Oweu2aEf fpkhXaEFAlXlpJ8CGwMCCwkCFQoFFgIDAQACHgECF4AACgkQ2aEffpkhXaHVCBAAhIJNeG8v q9SdwSmolgv4cqBOXYxuiH1GkZv4tbUHJfmg+msXFXY77Wd3G48ltM4srqCmfwGCGu2Y4Ggu iU3XQPwyQ7KU49WFU5s8ZFq0m/pt2chIlI3uvenvsxvS1GkljOrhpk/flkdtdqDb60GZizTZ JVnXMNuDmvTr97ltQ3q9vrp+tZv/+I02uhsWQGTQrSdCjOUYNtO3C4S/GSMDZ7Jzf6X89s1z /O7os4YCZx3qVxR9IsLqkFi/TyVsROOiIzea0oPifaO94Cg8kkEc9eYLfJwfIW7A67SLbiTd U4tkxT7o0SgAc0aHB24xZKkoLSVAXW/GyJlq/K8aB5Z3RYWibe4i4aCa/uJDaZwACLapU5pp botaM+yisguEZo/t10KGbkamwPHeaGi/UPLxUjR3TpeGWF31/xRe80vtVxaBCOy1+6W88UBH 3hFwb4mnH1jmZUKkjX0xAdzOf9ry7B/JLTsOSEoatj2IrmfNhM+66x9buLq8nPDbx4c3gfvd qcMbvkJDzGrGIF+dfhaGL42vBk69wziS6VL9eUZG6cDqL3yd+UqioFELV3n0I8NJR3QeOVkv nibez4PfpYvgvFiEf+0sPlUnEN6axrUdZNtKSm1+Lw7NSXVWwMHtNE9jn7fXaWIZ6thgHaoA ES5uVLQYwkpcHQ4UcUMuGGun2M7OwU0EVeWknwEQAL1jVf/pnmjEHYW7EGbhHy5C8lALekKt ubPT9/OPwY1rYXgjPYC9PMw0gTVpYVxotBRIY3NCay9Jsm5QtMX3EnkCP0dEv8EWU+o2WlEY JtwQFC/TQbwaKBaMgHWpUJFD07KdKMp/92CUMOMHEqToxv+TI+hidbRMRt/McYf0V9mrzE+5 KmQESfTSXPtV32LyslOMpeDIOa/XS816H2jtw4Mzb+VF0EdlqCvltovUIr0ghh4HSaOVQi8t bjax2F8NKM87yIhszsdneiDIH7Rk9ZznWfC5IMkLWCejPh1EZlU3zNzv+FFdDREaQ54SezE6 txW86UaBvwWUOAdgdYw6cDXBeAYfn90O6v96WxLUthfomAHb7kjTSG4ngOcoiOq/i/wOFryR G07bhL+WYA63hvqIM89DHfmhWhUsOkiUDbDK9xOABGQ7+UJ39r4IaNa4IUn/hSmyevncyJYJ MdjCDSruqmY4V34d3Q2cnAy+1jf8Cm4opOYdzAtuHNfjWLbXksO2z4mncee4NdKlpvD9rZCD 6iSEsdRV5UuiP8oBEi/4q1RNn8abCmyWUQXqdo3vnkV3Bgl8GnuS6GGEzVJq3pC8CqjZ97V/ +YHjgPcMUL2RCc9/QRfR71BjYsllLwlZtl85zYcbNORDUzVOe1Qg+k8DygcDPAuvFwLzLn1+ MGrZABEBAAHCwXYEGAEKACAWIQThH8zjBbnIRnk7B67ZoR9+mSFdoQUCVeWknwIbDAAKCRDZ oR9+mSFdoaX7D/49q6ALUSfwFyanXeX4YLfndeTCJd7AiGGlYVFzESkk4DUEy68Y8e7gYs4B 2YDpRzDgJrx2A61u7oSHv0b4hzwUJ41TyBbE4D2hR8o9qnAX2jpwWPinjCInbinUGkpfSZxn b7Yn6/p2kw5JeWGFlBJEyz3/g5ebq0qrx/OdpS9b8Jxlde3Le0jU+753BHV0ef3JfCTH6BuM 2T8Cv64n7vkhZWqUgnB3rEXIzq+xbYrpLJTeapwSr3k+xjI5YpmiTjUD8uCwzSJoq8x5YnXV CjA7TNGvhANFu1j5ElnSf4I6mje3gL+MK8Fw75SUZqdTL73rXstP2HqzDIV+19w8JA25h/Tm CcCYu717hq0kJVk2wiFbmhJHj6kb0tgn7xCCw9xe4g4T9K5YL4UiSpL+zxIb1BLuaYoYtPXP RcX0NkBu+N38Tvpng6HrBGFHQzTv4GB60eDm0A5+zbQe4RFmR5G1BdBpeYauNbtA9gAhuBZy DJPEu/qlaj3Ptk8MZiLFeHTZaBj9O1W8NuqK88k8KYkV/gd1Vni55bMee4CAhfGnHedDySGf mzbNFr/QAYmT3flZg7xnVJWSF904U8QAN1lejrC2dsj6TcaTHIzf9T3SZQDvc6e2ocYu6VeS Ctn4q1Sm/1ctbXEKhP8Ye1RRRwO0GvxJACvuHfoDqeZI98haZw==
In-Reply-To: <CAPxHsS+hbRr5ouO9p=_KowV19Q3uyEh2AtDe=C5kUd+bm4j9RA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-GND-Sasl: jacob@appelbaum.net
X-GND-Score: -104
X-GND-Cause: dmFkZTEmqhrhHu8UKe7+3dEgp9eWsRjitjH/k30EeqrwFJ+t9I8bC34Fe0R5uFnxI3d95RKycNf+bY8wI16epYfeI25W0OGupAkdRTUwvkYRkUH2BFMhT6eqGHUsCkYVsHDqepedCpKQAzdA8YjDq6GMuI4byujN/X/uu/YSiYBV0oHiYJxyu6o2fsds2jGJI5HBegcPDYZZHkQPS9C9287IX+F8EGWbX23dQGvc9IRXwxaYL8rqps1Um0YRiFI7Xq2KD3qHMui08WRsYLbI4Fx905Rf/BtCU6pgsVzYlUjPJg77oSuOnFUZa4eY/HqhYtZRymOfHPMNRjoPddRalP1/MFSRTQ0tjZi7I87qSqDw/ZpAaLUDi4ti+irlHyyOmPzD2BNyN7lt9qaBoZquTb4fesMGbqS8y+92xCXdD5evh4SNirGrJ/lT33AGo7SrY2E3qxKzFPM3SQIak2kjYMQzqN6D1n2ceqlPZtBJ2gByWZWT92xNaHgiXwBTTCP4c0dB7LaqvXFtsy8FDaHfaghOnNZUMVeIIfgf7Dp9NkHwn2AQacWsfLiD8k/RfgCMq8ZAeExJ3BEApWP8658hyxERfSIuVyETs/9z87ZmPNCzk8f8cxRN2guDoQoZIg6yCV6bOGbG92K3xl35Xh4QrPnIc2GfkIQLoeCNwEWA/E0IuRoD2Q
X-GND-State: clean
Message-ID-Hash: 2PJCA7FZB6LH6ZZWLD4HZC757UXHG4KG
X-Message-ID-Hash: 2PJCA7FZB6LH6ZZWLD4HZC757UXHG4KG
X-MailFrom: jacob@appelbaum.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Nicola Tuveri <nic.tuv@gmail.com>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UPb6ZlbzCSKB3nwuroMePdaowGo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Daniel, On 4/23/26 04:34, Daniel Apon wrote: > Hi Jacob, > > You wrote: " A non-exhaustive list of ways that one might avoid pure > PQ: - if the PQ crypto fails as SIKE failed - if some or all of > Peter Gutmann's criticisms about CRQCs are correct - if the PQ > crypto fails in a novel way that CRQCs enable - if the it is > impractical to break both ECC and the PQ during the window in which > it matters - if the PQ crypto deployment gives adversaries an > opportunity to sabotage previously functional cryptography and thus > break security - recommendations and/or regulations that impose a > hybrid requirement" > > > Please allow me to address each (trying to delineate where > reasonable points of disagreement exist versus points that don't, to > me, seem reasonable): > Are you able to share your threat model and ideally any obligations that hinder open dialog? Allow me to go first with a rough threat model: I am concerned about well funded Large Scale Adversaries engaged in strategic and tactical sabotage. Active attacks on the internet including pervasive mass surveillance, and active attacks on TLS. These concerns are contextually relevant to this list. I am not bound by any NDA in this field, nor have I ever applied for, or held, a US (or other) government clearance. I have no legal lifetime obligations to silence, and indeed my obligations are almost the opposite: I have worked with confidential sources to publish information that is in the public interest. > > " - if the PQ crypto fails as SIKE failed" > > This is a common public misunderstanding of the NIST PQC process. No, I do not think so. I do not believe that I misunderstand the NIST PQC process. I see it from the outside while I understand you may see it from the inside, as your own work, at least in part. I may be wrong, and I welcome learning more about your experience and context. I am not disparaging your efforts either as much as I am expressing a lack of confidence in my own government's processes and long term strategies. That is to say, I am perhaps disparaging aspects of NIST's result. I filed official comments[0] with NIST as part of that process which show that the PQC process resulted in changes that myself and others find problematic. Those comments were not addressed formally by cryptographers at NIST or the relevant political leadership. I have directly spoken to various sources at NIST (and NSA) who have told me that they are not entirely free to speak on these matters. This does not surprise any of the usual knowledgeable people who understand how the sausage is made. Surprise or not, it lowers confidence in the NIST PQC process and in NIST as well. Academic cryptographers are as impressive as they are underfunded and under resourced. This is not to disparage the efforts by those academic cryptographers working in the open. Respectfully, their expertise is immense. Unfortunately, even their expertise and especially their resources are completely dwarfed by the Large Scale Adversaries playing the field. > One should not view SIKE as being broken as a knock against greater- > than-decade-long PQC standardization processes, but rather a wildly > successful outcome of such processes and a testament to the > mathematical rigor applied to PQC standardization that SIKE *was not > standardized* while waiting for an attack to be published. Full > stop. > Unfortunately, this is misunderstands points made about SIKE by a country mile and it reflects at least a difference of perception if not experience. It probably reflects a difference of knowledge as well but I will try not to presume to know what you know. This is part of the context: - NIST is required by law to consult with NSA[1] - Neither NIST nor NSA has adequately addressed the cryptographic sabotage shown in PROJECT BULLRUN[2] and specifically Dual_EC_DRBG[4] to ensure there can never be a repetition - The IETF and specifically TLS was targeted[3] as part of this sabotage - No one has been held accountable for decades of cryptographic sabotage - People involved with cryptographic sabotage wittingly, and even unwittingly, continue to be involved with cryptographic systems and also with standardization - NIST cryptographers are required to carry a clearance with lifetime obligations and to consult with NSA in a way that binds them to secrecy under threat of serious penalty - NSA cryptographers are also required to carry a clearance with lifetime obligations - Those cryptographers are generally not supposed to talk about their lifetime obligation but some of them do, thankfully - Some of those lifetime obligated cryptographers switch to industry which in turn ties back to PROJECT BULLRUN's tactics and strategies which include infiltration of standards bodies, companies, and software projects. The shoulder tap combined a request is a valid attack that is extremely challenging to counter This leads us back to SIKE: - Many Cryptographers expressed confidence in SIKE that was unfounded - SIKE being broken shows the brilliance of a handful of people while also highlighting the limits of open cryptanalysis - SIKE being broken *and published* by someone other than NIST when NIST is required by law to consult with NSA is expected with what we know about PROJECT BULLRUN - It is fairly implausible that NSA did not know before the public, especially given the targeted NSA (and other agencies) surveillance of cryptographers and their respective workplaces, including in Europe - The fact that open cryptanalysis broke something that was in round four is being used to glaze the overall process itself which is undeserved. That research came from the academic community and the context merely provided incentives. Unfortunately, it also provides a locus of control such as with patents and regulatory levers - The NIST process provides pressure to switch from something we understand to be secure today to something we hope will be secure tomorrow while also giving a lever for change control to NIST (and by extension of US law, NSA). That lever was used, and it is still being used Harm reduction is one lesson: Deployments of PQ crypto that were later broken remain secure today because of hybrid constructions as part of those PQ experiments. We probably can't resolve all of the issues above but we can avoid making risky choices that benefit Large Scale Adversaries. > " - if some or all of Peter Gutmann's criticisms about CRQCs are > correct" > > Without diving down into rabbit holes about dogs and waffles or > whatever other satire, was there a serious technical point worth > highlighting? Historically, one of the best "cartoon form" arguments > in Garey and Johnson's book "Computers and Intractability: A Guide > to the Theory of NP-Completeness" was on page 3, captioned: *"I > can't find an efficient algorithm, but neither can all these famous > people."* > > To wit: in this situation, we have many famous people working on > building CRQCs. Some have recently won the Nobel Prize in Physics > for their work towards large-scale quantum computing engineering. To > be clear, the majority corpus of expert opinion is clearly in favor > of a near-to-medium-term CRQC emerging. > Nevertheless, if one switches to PQ without hybrid constructions today, one may not need a quantum computer. A quantum computer may or may not arrive, but the fatal mistake of removing a known good thing in exchange for a new speculative thing is poor risk management. It seems reasonable to consider quantum computers as an engineering problem just as cryptographic sabotage is an engineering problem. We should seek systematic, safe choices that center on protecting (internet) user first. Corporations and governments have weighed in along with other technically skilled folks, and their interests differ from the regular user in many cases. Those regular users are people who will be stuck with the defaults. They will often not even know that they're making a tradeoff that isn't even mentioned in the security considerations of an internet standards document. > > " - if the PQ crypto fails in a novel way that CRQCs enable" > > There seems to be no such potential pathways that are believable/ > known, despite various attempts in the past years by Yilei Chen and > Yifan Zhang. > I recall in round three[5] of the NIST process that you were quoted as saying: “SIKE is a fantastic scheme, but its computation is by far the most expensive, and the problem is relatively new. Who knows here?” To echo your previous curiosity while not endorsing things where I lack confidence in the scheme, I would ask the same question: Who knows here? There is evidence in the literate says that new attacks against PQ systems will continue to improve using regular computers and that the security boundaries of some PQ cryptography when faced with an existing quantum computer may be lower than initially estimated. There are credible disputes about the NIST calculations of PQ security levels. > > " - if the it is impractical to break both ECC and the PQ during the > window in which it matters" > > This is somewhat of a more valid point, and it comes down to a > question of the intelligence lifespan of data. In some scenarios, > maybe an hour or a day is the relevant information content of data. > In others, years or decades are not enough to erase the sensitivity > of communications. This is a strange thing to say in the context of signatures. We probably agree about the risks of decryption of data purloined through targeted and mass surveillance. If so, I am glad that we can find a common point of agreement. However, it seems to be a category error to discuss the concerns of implied decryption of mass surveillance data, say stored at the Bluffdale MDR, when signature forgery is the topic of discussion. A conservative hybrid signature construction should protect against signature forgery including any failures in the new PQ system. Long-term security starts with being secure today, and optimizing away the security we rely on today is reducing the total number of hard problems underlying the security assumptions of these cryptographic systems. > > Certainly, hybrid ECC+PQC (in whatever form it occurs) may be more > reasonable for relatively less sensitive data, but for more > sensitive data, the "window in which it matters" is inherently long. > And in the longer window, fewer hard problems is... better? If the keys are otherwise unrelated and securely combined, I would enjoy reading your reasoning. If the concern is that it won't be done correctly, well, yes, that is indeed a problem. Thankfully we have some things already that appear to be as good as it gets; we should not throw them away. > > " - if the PQ crypto deployment gives adversaries an opportunity to > sabotage previously functional cryptography and thus break security" > > I suppose that's why the world participated in a decade-long common > evaluation process to vet the new cryptography, which was not only > standardized without serious technical objection to the security of > the PQ cryptographies, but was standardized with alternative > technical opinions left objectively wanting in public. It took many > years for the global conversation to reach that final point. Without NIST systematically addressing comments and concerns that were filed as part of that process, you're ironically reinforcing my observation. If you're saying the math is fine, we're probably talking past each other. Yes, many cryptographers think that the math is fine or that they don't see a problem which isn't quite the same result as thinking it to be fine. Meanwhile, I have spoken with (American, European, and other) cryptographers who simply refused to engage with the NIST process at all for a variety of reasons. This may be a blind spot for a former NIST person but I suspect you're well aware. Though there are cryptographers who don't think all of the math is fine, and others still report that they don't always understand the math. The latter two are especially concerning and seem to be implicitly dismissed by your line of reasoning. The changes imposed by NIST (and by extension influenced by NSA as required by US law) aren't all mathematically interesting. I noted some of this in my comments to NIST. There is much to say on this topic. Most of all it is worth noting that there is published evidence of NSA and related agencies targeting TLS, IPsec, SSH, and other widely deployed cryptographic systems. NSA sabotaged standards, software, and even hardware all the same. The hardware sabotage includes but is not limited to SIGINT enabling of CPUs produced by an American (fabless semiconductor) firm[6]. The NSA and related Large Scale Adversaries have many confirmed successes in breaking the security of the systems. The NSA influence over on NIST over many decades imposes a serious burden on NIST's credibility, as do the security clearance lifetime obligations of people who know more than they are allowed to say in the open. Large Scale Adversary interference includes social, political, workplace, and even technical ostracism[7] as part of the documented playbook. > > " - recommendations and/or regulations that impose a hybrid > requirement" > > This is a great reason to want an option for hybrid PQC+ECC, but > it's not a reason to forbid pure PQC. Businesses (such as mine) that > participate as vendors in multiple markets will spend the > appropriate effort to satisfy local regulations in each > jurisdiction, of course. > Defaults matter and upcoming standards will be seen as de facto transition documents that endorse specific kinds of deployments. This document endorses a more risky deployment than is reasonable for those with concerns about Large Scale Adversary interference in cryptographic security. I remain open to the possibility that there are compelling arguments while still remaining opposed to publication at this time even after considering your points. Kind regards, Jacob Appelbaum [0] https://csrc.nist.gov/files/pubs/fips/203/ipd/docs/fips-203-initial-public-comments-2023.pdf [1] https://www.lawfaremedia.org/article/nsas-subversion-nists-algorithm [2] https://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption [3] https://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html [4] https://projectbullrun.org/dual-ec/ [5] https://csrc.nist.gov/CSRC/media/Events/third-pqc-standardization-conference/documents/accepted-papers/costello-case-for-sike-pqc2021.pdf [6] https://www.computerweekly.com/news/366552520/New-revelations-from-the-Snowden-archive-surface [7] https://cryptome.org/2014/02/gchq-online-deception.pdf and https://www.aclu.org/sites/default/files/assets/the_art_of_deception_training_for_online_covert_operations_0.pdf (see page 48 for an instant classic) > > On Wed, Apr 22, 2026 at 5:49 PM Jacob Appelbaum > <jacob@appelbaum.net> wrote: > >> Hello Uri, >> >> On 4/22/26 21:52, Blumenthal, Uri - 0553 - MITLL wrote: >>> There can be arguments about the life expectancy of hybrids - >>> from zero to CRQC appearance - but can be no objection to the >>> point that once CRQC is here, only pure PQ will make sense. >>> >> >> With respect, I suspect that there there will be measurements >> rather than mere speculative arguments. >> >> The life expectancy will depend greatly on such a machine >> existing, who has such a machine, who is willing to reveal that >> they have such a machine, how efficient and/or useful it is for >> practical attacks, and most importantly if the PQ cryptography >> actually survives contact with that reality. The latter point >> seems particularly challenging as a discussion point. >> >> Something that I haven't seen raised in this discussion is a >> possible middle ground where we see something like the proposed >> TWINKLE[0]/TWIRL[1] machines where breaking a single key may be >> feasible but cost prohibitive at scale. Those proposed systems did >> not force RSA into retirement. Meanwhile, LOGJAM[2] resulted in >> RFC8270 rather than RSA's end. >> >> There are several kinds of PQ failures that we have seen, >> additional failures that we expect to see, and a few that many of >> us hope won't happen at all. SIKE remains a humbling example that >> is seemingly avoided in many of these discussions. >> >>> Thus, arguing against pure PQ makes no sense in my opinion: you >>> may be able to delay long enough to avoid hybrids, but there’s >>> no way you’d avoid pure PQ. — Regards, Uri >> >> As of today, there isn't a quantum computer that is public and >> breaking ECC. We are fairly confident that ECC is secure today >> modulo various kinds of NOBUS and other kinds of cryptographic >> sabotage. We are also fairly confident that ECC will fall >> eventually if there is a quantum computer. Most people are >> confident that there will be a relevant quantum computer and that >> we should prepare. It seems odd to prepare by increasing the risk >> of attacks by computers that already exist today. >> >> A non-exhaustive list of ways that one might avoid pure PQ: - if >> the PQ crypto fails as SIKE failed - if some or all of Peter >> Gutmann's criticisms about CRQCs are correct - if the PQ crypto >> fails in a novel way that CRQCs enable - if the it is impractical >> to break both ECC and the PQ during the window in which it matters >> - if the PQ crypto deployment gives adversaries an opportunity to >> sabotage previously functional cryptography and thus break >> security - recommendations and/or regulations that impose a hybrid >> requirement >> >> Hybrid compositions make sense for encryption and for signatures. >> Attacks with a quantum computer to break the cryptographic >> encryption or signature system(s) may be roughly the same but I am >> not convinced that the consequences are equal. It is remarkable >> that signature forgery isn't considered more of a concern than >> HNDL. >> >> Arguing for a belt rather than suspenders and a belt is often a >> reasonable fashion choice but is it an equally secure and >> resilient system? >> >> Kind regards, Jacob Appelbaum >> >> [0] https://en.wikipedia.org/wiki/TWINKLE [1] https:// >> en.wikipedia.org/wiki/TWIRL [2] https://en.wikipedia.org/wiki/ >> Logjam_(computer_security) >> >>>> On Apr 22, 2026, at 13:25, Nicola Tuveri <nic.tuv@gmail.com> >>>> wrote: >>>> >>>> Hi Rich, thanks for your clarification, indeed my phrasing >>>> was not ideal. I’ll take your comment as a chance to clarify >>>> my stance. Code point assignment and deployment support are >>>> distinct considerations. In practice, non-experimental >>>> production ZjQcmQRYFpfptBannerStart This Message Is From an >>>> External Sender This message came from outside the Laboratory. >>>> ZjQcmQRYFpfptBannerEnd >>>> >>>> Hi Rich, >>>> >>>> thanks for your clarification, indeed my phrasing was not >>>> ideal. I’ll take your comment as a chance to clarify my >>>> stance. >>>> >>>> >>>> Code point assignment and deployment support are distinct >>>> considerations. In practice, non-experimental production >>>> deployments generally rely on both assigned code points and a >>>> published standard. >>>> >>>> >>>> Concerns about the proliferation of standards introducing >>>> support for additional code points are not uncommon on this >>>> list. I note a similar concern here in support of delaying >>>> this draft. >>>> >>>> >>>> At present, the process risks creating the impression of a >>>> “first- to-standard” outcome, where publication effectively >>>> determines the direction of deployment before the trade-offs >>>> have been fully examined, possibly even stalling the progress >>>> of other drafts. In particular, the argument that introducing >>>> additional options increases complexity has been raised >>>> repeatedly on this list, but it does not seem sufficient on >>>> its own to guide decisions in a security area WG. It would be >>>> preferable to more explicitly evaluate the security properties >>>> of hybrid and non-hybrid approaches and reach a position that >>>> can inform what should-and should not-be advanced to standard. >>>> >>>> >>>> Best regards, >>>> >>>> Nicola Tuveri >>>> >>>> >>>> >>>> On Wed, Apr 22, 2026 at 19.30 Salz, Rich <rsalz@akamai.com >>>> <mailto:rsalz@akamai.com>> wrote: >>>> >>>> * I have read the draft, but I do not support its publication >>>> at the moment. >>>> >>>> >>>> * My rationale is that this draft adds complexity by adding >>>> extra code points for pure mldsa. >>>> >>>> >>>> Code points are assigned when a stable reference is available, >>>> as you might recall from the long threads on the pure ML-KEM >>>> draft. So I don’t think your stated rationale makes sense. >>>> >>>> _______________________________________________ TLS mailing >>>> list -- tls@ietf.org To unsubscribe send an email to tls- >>>> leave@ietf.org >>> >>> >>> _______________________________________________ TLS mailing list >>> -- tls@ietf.org To unsubscribe send an email to tls- >>> leave@ietf.org >> >> _______________________________________________ TLS mailing list >> -- tls@ietf.org To unsubscribe send an email to tls-leave@ietf.org >> >
- [TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
- [TLS] Working Group Last Call for Use of ML-DSA i… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Stephen Farrell
- [TLS] Re: [EXTERNAL] Working Group Last Call for … Andrei Popov
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Quynh Dang
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Van Geest
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Ilari Liusvaara
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Jan Schaumann
- [TLS] Re: Working Group Last Call for Use of ML-D… Corey Bonnell
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
- [TLS] Re: Working Group Last Call for Use of ML-D… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
- [TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… tirumal reddy
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Joshua
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
- [TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA tirumal reddy
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA tirumal reddy
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
- [TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
- [TLS] Re: Composite ML-DSA Salz, Rich
- [TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Composite ML-DSA Sean Turner
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Filippo Valsorda
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Tim Hudson
- [TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
- [TLS] Re: Composite ML-DSA David Benjamin
- [TLS] Re: Composite ML-DSA Salz, Rich
- [TLS] Re: Composite ML-DSA David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Joshua
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Salz, Rich
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: Working Group Last Call for Use of ML-D… Thom Wiggers
- [TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Use of ML-D… Falko Strenzke
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Nico Williams
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Christopher Patton
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Composite ML-DSA Simon Josefsson
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Filippo Valsorda
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: Working Group Last Call for Use of ML-D… Dennis Jackson
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Peter C
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: Composite ML-DSA Nico Williams
- [TLS] Re: Composite ML-DSA Sophie Schmieg
- [TLS] Re: Working Group Last Call for Use of ML-D… Yaakov Stein
- [TLS] Re: Composite ML-DSA Mike Ounsworth
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: [EXTERNAL] Re: Composite ML-DSA John Gray
- [TLS] Re: Composite ML-DSA Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Simon Josefsson
- [TLS] Re: Composite ML-DSA Eric Rescorla
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Falko Strenzke
- [TLS] Re: Composite ML-DSA Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Composite ML-DSA Hal Murray
- [TLS] Re: Composite ML-DSA John Mattsson
- [TLS] Re: Composite ML-DSA Watson Ladd
- [TLS] Re: Composite ML-DSA Mike Ounsworth
- [TLS] Re: Composite ML-DSA Wang Guilin
- [TLS] Re: Composite ML-DSA Nico Williams
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
- [TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Andrei Popov
- [TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
- [TLS] Re: Composite ML-DSA Yaroslav Rosomakho
- [TLS] Re: Composite ML-DSA Simon Josefsson
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Andrei Popov
- [TLS] Re: Composite ML-DSA Wang Guilin
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Dennis Jackson
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Nicola Tuveri
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Nicola Tuveri
- [TLS] Re: Working Group Last Call for Use of ML-D… Tim Hollebeek
- [TLS] Re: Working Group Last Call for Use of ML-D… tim.beckmann
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: Working Group Last Call for Use of ML-D… Ludovic Perret
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… David Stainton
- [TLS] Re: Working Group Last Call for Use of ML-D… Hammell, Jonathan F - [he/il]
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Nicola Tuveri
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: [EXT] Re: Working Group Last Call for U… David Stainton
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Viktor Dukhovni
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Working Group Last Call for Use of ML-D… nhgajco@uwe.nsa.gov
- [TLS] Re: Working Group Last Call for Use of ML-D… Falko Strenzke
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Peter Gutmann
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… tim.beckmann
- [TLS] Re: Composite ML-DSA Nico Williams
- [TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Wang Guilin
- [TLS] Re: Composite ML-DSA tim.beckmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Joseph Birr-Pixton
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Nicola Tuveri
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… DA PIEVE Fabiana
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… tim.beckmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Bellebaum, Thomas
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Tim Hollebeek
- [TLS] Re: Working Group Last Call for Use of ML-D… Paul Wouters
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Richard Barnes
- [TLS] Re: Working Group Last Call for Use of ML-D… Tim Hollebeek
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Tanja Lange
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
- [TLS] Re: Working Group Last Call for Use of ML-D… Martin Thomson
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Ackermann, Michael
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Marc Penninga
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Composite ML-DSA John Mattsson