[TLS] Re: Composite ML-DSA
Dennis Jackson <ietf@dennis-jackson.uk> Thu, 16 April 2026 09:04 UTC
Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C0A53DD6F8B5 for <tls@mail2.ietf.org>; Thu, 16 Apr 2026 02:04:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776330257; bh=NTY+dNX16nsxPI0RPisVQFwDhbiBx3FLUYRXoJ6C8H8=; h=Date:Subject:To:References:From:In-Reply-To; b=HACHrL+r3EtmIfES+hnZBpxUkppLODlRVRcMhOfMNZwEoBz4pmQsRuhr5/Gg4ACbx 9EWixxo1nu0qha/Q/UFkq4nn521DfVp0W09iqTqj0Uyn4HLydyfYpuIprVrSnkzdtU tkr/NNO20O6CNSjXGgaPIgDnk+makGzsNiAwHX64=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NufRv0tQJv9A for <tls@mail2.ietf.org>; Thu, 16 Apr 2026 02:04:16 -0700 (PDT)
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [IPv6:2001:67c:2050:0:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 08E29DD6F882 for <tls@ietf.org>; Thu, 16 Apr 2026 02:04:12 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4fxBry0HqNz9v67 for <tls@ietf.org>; Thu, 16 Apr 2026 11:04:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1776330242; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Gbs1D5CkH8+VXx0CU6F3p96UopI2mc+ki0RzoT01bJk=; b=0LvYHWzRJbAq4FHikoEfkvIZElJhnEJ6P38hJ9vGcmacp+/zDDspEM8jbzssm48Wra9Gp9 W6WcQ9I6Mvi+xn7iZ/+BvMHDaoF4RNZWPZaK7RrT1MFD+IV8usUD1St9NU/bkZlw9o7AsS d57inQspeZhcMIuRrrqdCtGG2BQkiC84uKJAOluj+97iX2/W61WLSi2dNXoIHLJ7mduCEk X0umGPk3KV918R5wSzXaRvVtvipxYdZ++bt0PpG3JG69H4Z3c7zqAe8whChpCm9yvhDlkc RRYoMNL0wUEAhHJ5bLU/XIVOFpx/NQAjcIHJk7GXhH3mdT0zp1mxXhGIEkN0fA==
Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of ietf@dennis-jackson.uk designates 2001:67c:2050:b231:465::2 as permitted sender) smtp.mailfrom=ietf@dennis-jackson.uk
Content-Type: multipart/alternative; boundary="------------B54XjD3QivMhwCgF0HedMNAX"
Message-ID: <487c7f61-9ffa-4846-a2c5-092e695351cd@dennis-jackson.uk>
Date: Thu, 16 Apr 2026 10:04:00 +0100
MIME-Version: 1.0
To: tls@ietf.org
References: <16CF0FDA-7263-461A-9F2B-D37DBEAF5DD9@sn3rd.com> <CAMjbhoWwvfkfScpbf4-5PBzk__qb+6M4ZzAOba64kk9aXBba5g@mail.gmail.com> <d47a34ab-7fb9-4687-84aa-a5fa6bcf6a6c@tu-dresden.de> <2971d01a-89e3-43d3-a01d-b9c17b178763@amongbytes.com> <692bb582-ab7e-4d6b-aa75-ac5d93228bb2@tu-dresden.de> <DS4PPFA08475C7DBE27468E40C672197481C1242@DS4PPFA08475C7D.namprd11.prod.outlook.com> <LV0PR21MB6623B48B1F3A05D745F5A79D8C242@LV0PR21MB6623.namprd21.prod.outlook.com> <ad0svakv_WUM3btz@chardros.imrryr.org> <CAF8qwaBU_YHWX2MsWeeaOJ8sutR1wMozvbiTJF5kyvTE8YjWWA@mail.gmail.com> <CACsn0c=GDta824UF7uJ3nw_4U_rT=XhYOGHRemMWa+2AdbsiAg@mail.gmail.com> <3a16c7c4-345e-48ce-af70-a3bf503c8caf@app.fastmail.com> <CACf5n7_0hdeHJXXucva9pb=+pjhcgveHRpjA8XAcXB3LsYUvaw@mail.gmail.com> <CAFpG3gcC+UfO7E=ADGhwr2En5PwipZiq_r6_RdqvmT-5nnh2jw@mail.gmail.com> <d69ba150-0257-4e64-9abb-9229d03a03a6@app.fastmail.com> <129715714.1963.1776284832509@app.mailbox.org> <CAEEbLAYbQF5XapVPqGbNCuj64oYiYQ5BO5WnRBeXFQuFzs=o8g@mail.gmail.com>
Content-Language: en-US
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <CAEEbLAYbQF5XapVPqGbNCuj64oYiYQ5BO5WnRBeXFQuFzs=o8g@mail.gmail.com>
X-Rspamd-Queue-Id: 4fxBry0HqNz9v67
Message-ID-Hash: BGG33CRJ2BXJQA364MRZLVKQMRKU6D47
X-Message-ID-Hash: BGG33CRJ2BXJQA364MRZLVKQMRKU6D47
X-MailFrom: ietf@dennis-jackson.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Composite ML-DSA
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/W0ofNtOlmj6MULgxZzzx7xkzuR0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I broadly agree with Sophie, especially: > In many cases, signature keys can be revoked with varying amounts of > pain. In those circumstances, the additional security benefit of > hybrids is soley in defense against unpublished attacks, as published > attacks will be mitigated via revocation. As the blast radius for > signatures has a strict end with revocation of the key (as opposed to > encryption, where any ciphertext that has ever been encrypted with the > algorithm is now up for grabs). I see hybrid KEX sticking around for a while, but I don't think composite signatures make much sense in any eventuality and especially if you think the probability of near-term CRQG is rising. Best, Dennis On 15/04/2026 23:16, Sophie Schmieg wrote: > hi all, > > here is my dump on thoughts about hybrid signatures, apologizes if > some of the points have already been brought up before > > When it comes to implementation security, I've never fully bought the > argument that hybrids pose a meaningful defense. The most dangerous > implementation vulnerabilities are things like spectre, row hammer, or > good old buffer overflows. Since memory is shared, the vulnerability > of a hybrid implementation to these issues is the union of the risk > surfaces of the individual implementation, so using a hybrid increases > the risks. You could argue that correctness related vulnerabilities > like CRT faults or point not on curve attacks are the main > implementation mistakes hybrids protect against, but given the design > of the PQC algorithms which do not allow for many subtle logic bugs > (at least as long as one uses seeds as private keys [1]), and the bugs > they do allow for can be tests very well using high quality test > vector suites like Wycheproof (It was actually difficult to find > compelling test cases for Wycheproof due to the design decisions made > in the spec which made many creative input choices simply not work, as > opposed to classical crypto where such creative choices result in fun > vulnerabilities). > > In my experience, by far the biggest risk when it comes to signatures > is not in the algorithms themselves, but implementers either > forgetting to verify, ignoring the verification result, or forgetting > to check that the message actually attests to the thing they wanted > attesting for (i.e. the valid certificate for a different domain > problem). If the hybrid is implemented as a single algorithm, this > risk doesn't differ between hybrid and non-hybrid signature (and this > is one of the reasons why I strongly prefer this approach). The more > details of the hybrid construction is exposed to the caller, the more > this is no longer the case. If you teach a verifier to ignore some > signatures, you add code that is a frighteningly close Hamming > distance away from code that ignores all signatures. If you want to do > things like using an HSM for your classical signature, but a software > implementation for your PQC signature, the only takeaway that I can > see is to bury this capability as deep in the cryptographic library as > possible, and not expose any of it to the caller (other than possibly > a boolean flag that enables the HSM or a classical software > implementation, but even that is dubious). > > In many cases, signature keys can be revoked with varying amounts of > pain. In those circumstances, the additional security benefit of > hybrids is soley in defense against unpublished attacks, as published > attacks will be mitigated via revocation. As the blast radius for > signatures has a strict end with revocation of the key (as opposed to > encryption, where any ciphertext that has ever been encrypted with the > algorithm is now up for grabs), this is good enough in most threat > models, and as such I don't consider hybrid signatures essential in > those use cases. When they can be done without additional cost (this > cost can be in terms of performance, overhead or even coordination > headwinds), I still recommend using hybrid signatures, but with a > heavy bias towards just using pure signatures in case of difficulties > arising. Most importantly for the IETF here are the coordination > difficulties. I much prefer having pure ML-DSA over not having any PQC > signature at all. > > There are cases where revocation is not really possible, like for > example firmware signing keys. Here I much prefer having SLH-DSA, or > as a fallback, hybrid signatures, but these usually do not require > fully standardized solutions for the hybrid construction. > > [1] https://eprint.iacr.org/2024/523 > > On Wed, Apr 15, 2026 at 1:27 PM > <tim.beckmann=40mailbox.org@dmarc.ietf.org> wrote: > > Hi, > I'd like to add a perspective on why hybrid certificates and > authentication are useful. My background is with IoT and OT > (operational technology) devices manufactured by medium-sized > businesses. These devices often maintain a connection to the > manufacturer's backend, mutually authenticated by small scale > private PKIs (plural, because device certificates and backend > certificates are under different roots). > The deployment of these devices has the unfortunate property that > between production and first installation a lot of time can pass, > sometimes upwards of a year. With IoT, this can be because the > devices are stored in a crate or a shelf somewhere along the > retail chain, with OT, operators keep devices in storage for hot > swapping in case of hardware failures for any of the deployed devices. > The transition from traditional to post-quantum authentication > methods poses a significant problem for these device classes. In > many other scenarios, you can flip the switch from ECDSA-based > authentication to ML-DSA-based authentication the moment you judge > the CRQC threat as too high by pushing a config or > software/firmware update. (This requires that > PQ-keys/-certificates have been distributed beforehand, of > course.) But devices lying in storage have no active internet > connection to receive that information. When they authenticate the > backend many months later, for the first time in over a year, the > ECDSA keys might have been compromised already. (Under the > assumption that attacks against EC keys are widely available soon. > I'm still somewhat on the fence about that in regard to targets > that don't have extremely high value.) > One way around that dilemma is to do an initial check on whether > authentication should be switched over, by connecting to a special > endpoint once with ECDSA certificates and once with ML-DSA > certificates and verify that both give the same advice (and abort > if they don't). But from an operational perspective, issuing > hybrid certificates as soon as possible and just using those for > mutual TLS seems to be the easiest and most robust solution. > (Now, there are a lot of hurdles along the way. Most notably, > secure elements (and cellular modems with TLS stacks) are still > widely missing ML-DSA support (or SLH-DSA for that matter), but we > have that problem with non-composites as well.) > What are your thoughts on that? Do you know of a more > straightforward solution? Relying only on ML-DSA as soon as > possible is problematic, both because of customer concern and > regulatory requirements. > Best regards, > Tim Beckmann > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > > > > -- > > Sophie Schmieg | Information Security Engineer | ISE > Crypto |sschmieg@google.com > > > _______________________________________________ > TLS mailing list --tls@ietf.org > To unsubscribe send an email totls-leave@ietf.org
- [TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
- [TLS] Working Group Last Call for Use of ML-DSA i… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Stephen Farrell
- [TLS] Re: [EXTERNAL] Working Group Last Call for … Andrei Popov
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Quynh Dang
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Van Geest
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Ilari Liusvaara
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Jan Schaumann
- [TLS] Re: Working Group Last Call for Use of ML-D… Corey Bonnell
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
- [TLS] Re: Working Group Last Call for Use of ML-D… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
- [TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… tirumal reddy
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Joshua
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Use of ML-D… Watson Ladd
- [TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA tirumal reddy
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA tirumal reddy
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
- [TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
- [TLS] Re: Composite ML-DSA Salz, Rich
- [TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Composite ML-DSA Sean Turner
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Filippo Valsorda
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Tim Hudson
- [TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
- [TLS] Re: Composite ML-DSA David Benjamin
- [TLS] Re: Composite ML-DSA Salz, Rich
- [TLS] Re: Composite ML-DSA David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Joshua
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Robert Relyea
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Salz, Rich
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: Working Group Last Call for Use of ML-D… Thom Wiggers
- [TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Use of ML-D… Falko Strenzke
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Nico Williams
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Christopher Patton
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Rob Sayre
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Composite ML-DSA Simon Josefsson
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Filippo Valsorda
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: Working Group Last Call for Use of ML-D… Dennis Jackson
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Peter C
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: Composite ML-DSA Nico Williams
- [TLS] Re: Composite ML-DSA Sophie Schmieg
- [TLS] Re: Working Group Last Call for Use of ML-D… Yaakov Stein
- [TLS] Re: Composite ML-DSA Mike Ounsworth
- [TLS] Re: Composite ML-DSA Daniel Van Geest
- [TLS] Re: [EXTERNAL] Re: Composite ML-DSA John Gray
- [TLS] Re: Composite ML-DSA Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Muhammad Usama Sardar
- [TLS] Re: Composite ML-DSA Simon Josefsson
- [TLS] Re: Composite ML-DSA Eric Rescorla
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Falko Strenzke
- [TLS] Re: Composite ML-DSA Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Composite ML-DSA Hal Murray
- [TLS] Re: Composite ML-DSA John Mattsson
- [TLS] Re: Composite ML-DSA Watson Ladd
- [TLS] Re: Composite ML-DSA Mike Ounsworth
- [TLS] Re: Composite ML-DSA Wang Guilin
- [TLS] Re: Composite ML-DSA Nico Williams
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Jack Grigg
- [TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Andrei Popov
- [TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
- [TLS] Re: Composite ML-DSA Yaroslav Rosomakho
- [TLS] Re: Composite ML-DSA Simon Josefsson
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Viktor Dukhovni
- [TLS] Re: Composite ML-DSA Andrei Popov
- [TLS] Re: Composite ML-DSA Wang Guilin
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Dennis Jackson
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Nicola Tuveri
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Soatok Dreamseeker
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Nicola Tuveri
- [TLS] Re: Working Group Last Call for Use of ML-D… Tim Hollebeek
- [TLS] Re: Working Group Last Call for Use of ML-D… tim.beckmann
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: Working Group Last Call for Use of ML-D… Ludovic Perret
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… David Stainton
- [TLS] Re: Working Group Last Call for Use of ML-D… Hammell, Jonathan F - [he/il]
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Nicola Tuveri
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: [EXT] Re: Working Group Last Call for U… David Stainton
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Viktor Dukhovni
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Working Group Last Call for Use of ML-D… nhgajco@uwe.nsa.gov
- [TLS] Re: Working Group Last Call for Use of ML-D… Falko Strenzke
- [TLS] Re: Working Group Last Call for Use of ML-D… Kris Kwiatkowski
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Peter Gutmann
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… tim.beckmann
- [TLS] Re: Composite ML-DSA Nico Williams
- [TLS] Re: Composite ML-DSA Scott Fluhrer (sfluhrer)
- [TLS] Re: Composite ML-DSA Peter Gutmann
- [TLS] Re: Composite ML-DSA Wang Guilin
- [TLS] Re: Composite ML-DSA tim.beckmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Joseph Birr-Pixton
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Nicola Tuveri
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… DA PIEVE Fabiana
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Scott Fluhrer (sfluhrer)
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… tim.beckmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Bellebaum, Thomas
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Tim Hollebeek
- [TLS] Re: Working Group Last Call for Use of ML-D… Paul Wouters
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Wang Guilin
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Sean Turner
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Stephen Farrell
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Russ Housley
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Peter Gutmann
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… Eric Rescorla
- [TLS] Re: Working Group Last Call for Use of ML-D… Richard Barnes
- [TLS] Re: Working Group Last Call for Use of ML-D… Tim Hollebeek
- [TLS] Re: Working Group Last Call for Use of ML-D… Nadim Kobeissi
- [TLS] Re: Working Group Last Call for Use of ML-D… David Adrian
- [TLS] Re: Working Group Last Call for Use of ML-D… David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Tanja Lange
- [TLS] Re: Working Group Last Call for Use of ML-D… Simon Josefsson
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
- [TLS] Re: Working Group Last Call for Use of ML-D… Jacob Appelbaum
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Ilari Liusvaara
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
- [TLS] Re: Working Group Last Call for Use of ML-D… Martin Thomson
- [TLS] Re: Working Group Last Call for Use of ML-D… Salz, Rich
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Use of ML-D… John Mattsson
- [TLS] Re: Working Group Last Call for Use of ML-D… Filippo Valsorda
- [TLS] Re: Working Group Last Call for Use of ML-D… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: [EXT] Re: Working Group Last Call for U… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Use of ML-D… Ackermann, Michael
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Michael StJohns
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … David Benjamin
- [TLS] Re: Working Group Last Call for Use of ML-D… Marc Penninga
- [TLS] Re: Working Group Last Call for Use of ML-D… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Use of ML-D… Daniel Apon
- [TLS] Re: Composite ML-DSA John Mattsson