IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

John Mattsson <john.mattsson@ericsson.com> Wed, 26 November 2025 16:52 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BFF92912AD72; Wed, 26 Nov 2025 08:52:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGO_XiObKJBc; Wed, 26 Nov 2025 08:52:44 -0800 (PST)
Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazon11013068.outbound.protection.outlook.com [40.107.162.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A65E2912AD52; Wed, 26 Nov 2025 08:52:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=zO9WNlXd4NPItoa3DNbY3Y1hU88PxAg1IuetrwT2XycYQ8rf0utUps8zzpmz863y0bymI8hjbj78ObDWy/yagxl1YfBr/Bm8iieNnD57WWLI/fD9z0nZVtZbT0PuJDG+wLd74OkxmDdwV7IUr0fkSSJfa7fTRZCcfHd8mv3v4RGNLceU4C5INIVKVBljGdx1gdR3eSFCis8o+ooI7q8MuqS0oYj13JvT7PHVQrazHLhbx3aodwCSY2s6LnRVCe254dB2tl1UqQZXOVEpDxVuxwIMrmrunWftsuSqJXp2IjaLOaTLcjP8Vndppxn7bLiGBBJ8YFhUh5umXIuHb26pCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=90EESHeYqx3Q3R0/8Lald17lXHRO0W2zhovYHr1jdp0=; b=UjV4YQBfkI1b5Bvd84d9MposUn11yt1FuxzJHm4RNMotvhnDkc3micHlFCXvkvDYnFVKyngZ/jcr7usISbXUfRZEfDprbFFFdn/9qbGsGsLNpMI/Tlu15hYBdxBTnYPfwkYCJb+M7e8v33awKSpBNMf/QXopX+Qa9hhgznvyvYVl0jgBIrM+mPeQiKvKpbRJCf3nOeSLRGDKzOafedYmqWzXu1Xxm2Mi0VBXWbhidFirSxHxnydVkshC7x8iJzGoFtqH4qtumJkmZN8JnIE2sdsh92XgXeu8YISUgpKC0RuQIRfMFbnYpsenfFqrii2Njccp3cKCTha7UNQDsoBzuw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=90EESHeYqx3Q3R0/8Lald17lXHRO0W2zhovYHr1jdp0=; b=yBDyRjiBGyil34LoLi2fekwG9+VK88HH1vW14mx5FFkIK0sgRX+GECQKVC/Wa5klty+DwLQ7tv6dNvkk838c8R+yGdLcgDVao1LpfuAc+96sf4IQu3XOagBN5VfhUZoDV5jOiu3PgGwZH3n1+OzdNdBe80Z7dPQmrKJweiYfWFDMfROGt/OgBs6chrGogkN89a0PxOpnl91D7IhsqTyf3YNETdN7GWo/XSxmwn8RGHstX+3SWuIvIsrv19MDlA3vAMzI6xTBEIAFXxWW9uZCvRJ6E002VEueb9iTQB3ZInWHKL/DdA2yTcdolVo3D3ZB1VcNyU88eR++8eQGWgOHow==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PR3PR07MB6748.eurprd07.prod.outlook.com (2603:10a6:102:7f::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.12; Wed, 26 Nov 2025 16:52:37 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%3]) with mapi id 15.20.9366.009; Wed, 26 Nov 2025 16:52:37 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
Thread-Index: AQHcXVUMK725YMF6i0e8/vKt9ER6RbUB9WOAgAA6i2uAATEgVYABx7IJ
Date: Wed, 26 Nov 2025 16:52:37 +0000
Message-ID: <GVXPR07MB967888898F95CE08C7FE585D89DEA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <176236867319.904123.10146982018394612684@dt-datatracker-5df8666cb-7l4w5> <87see331ox.fsf@josefsson.org> <CABcZeBMiXTGzNUZ54nEOe2K=MWTU2dxo-o0eoweKcf6av55Wrg@mail.gmail.com> <87jyzf2r0x.fsf@josefsson.org> <GVXPR07MB96785AB3024567FC19CF5A0689D1A@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB96785AB3024567FC19CF5A0689D1A@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PR3PR07MB6748:EE_
x-ms-office365-filtering-correlation-id: 989d184a-f73c-47f1-a7a5-08de2d0c3425
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700021|7053199007|13003099007|8096899003;
x-microsoft-antispam-message-info: tjCrZ8lqBgdzEGp4Ua8OcqmwZci1nwS5IRGfx+lw/RwCKKzQEgjlIOVKMbuF95eM9RwtAecRpDoYlrrYhL5aFSqL8nPNO+vjhBuNyLAh0jPEjbs5L9EXbTQcYGcDefNPL4EAUUjcz6HLtFcNLK7iIvFyD+WK0WsQrkkmcjUIOAcmuxCmCzaQyoC1dLDWK24A+ZRpWOM0FvXzpFbs0Xzo9Fpx8cHGgXJTHLDqZn7LiKkc6TvkRUbIDTBJ8GLVooKxoOAmqjAqfB0MW3NfD98Q4AEIFs0UlaYB+/rJOWlFnnmHRXmquSnjHYER4y5slb/XV/UFcUs47c6DDrw1mDrIL4phHGSpv6D2XswZl2+4e3MKe9BYUSNucRfGpUlK2u9lzJIKKmfHBE8nqwnEzCFShMGWupoP0lRcIqYolUH0arlEpaz5UCst/t4PWb4Hazr+wmBS1/aQw7sYuMNlh6qWTyvcwzs8nMKv0vXudmc5TNMn+r1HGcLUx+eErdjIhHISBbwQtAqb0eaKnfGfIQj/f0H3tTfP5CCrB2xVMB1z9/CYgRNwV1XdgQrZjJjkQOvJBDTfSJTS/4sxGun9IOFKpHxHJ05672pR6bVnnWeRVRTpM4eJVe4IDc7VJiXb/twGhOeEpuYPJCKDWO6FnyjW5VutOP3bdaTmRE7XwuOGAdfG2TfKLjR27XTLj0wBUl5z+ChwbMu6J/6q0A5rBBD9pI8QUa69L3LdQZGm7UhAozxppwxfGHKOYXFjN0mEkqcXeO3aFpy1982hk6UdkvQ+OaGR+O71NNIjlEqmUJ20YVKfCmRIXBzmCdanIUDcFiYGUoRrUL4TzpfjaroMpmcm3/Hx8W6fzyov0wJkpnHdpXbv/nArG5U4UX+CAVnIq7TTdA9nA6X25roxggk2YN1dzEbGtJnJxMQWYydO2XFEyog5Ea7sUerFjLUHtw2B+mFA8EEJ6Kw4vfeOK03lJBGA7HAmpwM8h+0KV3XEUVxAoXTqo/aW8huzX/xXBV0RxYh+0Y9q1kG1j1VdwKYH1rBa7ipUnA4MG6k4BmFi7UA8NOP10A9igTWtn8zGpCn1nNv1R/u0c0S28pvbTFm/kcbgxGqFdaU1XzdKxr+V1rhJZN+UuhwgmyTighpTCA9WGedmqY+hBjHu/iKuMaSehP9VLo6+rX4f3poo+GERZQfIm4nCAOsvVtIywdfOTBmTXw9RlveEEEgSQhYclyfQGBiE+Km/o2paDZtdEAerRwTo5d8xaxjGw5wku0X+up7Nzy5YSwipdCWVVEtaCy+btREHzp3kC6Zdc+PWWkENb8ED3SFmI0KLr9sh3W/j+/rS8S626D0ncyfe3crQXknfn9ij9+ztj4zEIB4MiH6evsCkZor8qxmID6TnbQTob0J7nYu1ZWc5ya5Zz1BZuUj644JfT07Ya+Ses49GvxRbxiIOon0OkD8qMmxY7z21WCgRw5tC/C0XmFdMYuxBL8Ck8rhoskFa4PAu+BR+mJ9rtj8GX/JWl/a+f2KfTmcaaMGt/3Ff
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700021)(7053199007)(13003099007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JL5ZP0UvC9YV62UgYoMpZDn28n9zlZLaXEzV5egWArVV2Pa4fnIsZDHii83gB5OVzuUpUCiONIyi6os9omJr7ZmLPEBtifsyPOtFYp+Wsz7X/fPp+bVRACXUm+xSRp1sfs29EcLzvRqWETPbvrZ6MBEvjU/hIhNW4c9y4KPUlvnAswFvqMUS760f5zx0g5cAWhzqbVK7dRzdyZja2nAwq5rMTrJhzBbO95HAleSQptSxAIUokXrFJirwMn0w1mVFZS0IdCTAwtDRTc78XaDxueD3mJf8mwYvyyT08qAwjqm4VfuSOtXSPqrfzR7V8w0lI/hXfuvbZG6kqGa/b/72bAeoKiVL9bK55XRpA9y/Myt3V/YUKkQeWIe1k0OBxLBAXjlO4HY7fpSOQEYs8pzfDR2VUdZapdZvYEEu+sLQAJFeMVuKjpECVWjXjSuvdydrhNDcfjIfGgD4yMpEY/85IOCYBORaf6ea18lHH3Zv7WxFRr5ghGBW57c6+byppU88ugJ9BpONF53qdFV2Clucnb21USdJ8ZZXxLuxsJz/HhEZjmOepbpXZJzOr8jGCGmZXTTQPRlfX3Jp/5p50dH71huwn4aTVGJfd/eh4Ky40/BR1R6CwK+57kKP7iFCtVAsmNLwYwfSF4p5IXa0v5jmpZnq2b2Chwx8Fe0rRfP1DePIhf3yQ/kXG+Ctkiq9i5HGcddX/oiAhB/IQiB14f1rx9Qyt1jC3HaCLIp3hzaDod1WI0Z25D8hTmhzZtlOzMjDn26QZQKMDy8KYt7+gMJFtzQQIk1TR+MQ2kQ8/o1Ei+gnn1/YxqWcBmFdp8O7uhGxeFYlevh21uoK5EDVciP5SlmNT0iU5pSxQ/g0bWvvCa6DpYx8+T+CsUXupxmDUeIw6wLr1TTpSDYVy/Ny6s1PZajhpQdZ8WZD3gcNWcFvY1BRkF5tta8KR1NAmhBXZ9g1cSX5G+B6sGsdxNhsw8ww0flIChtPL6MphivwAWcW/x3qBLE4RBBywZjM+xgUmlwrzvuhdDuKS/XiiLSPLoNp6wc88oEo5V1azI5lbrTS7r+0qwaCNj85Lb7rBadHsooVB1Hk7fdEslxImoOGjHC8xG4KqVVmHiU4QXJyvtMxvPgeOo+x+F9pacznLYgzfd7saY9zq3qxw2FPSfucyzevpXEsk/a05/IxhlX4qX8HhH/eYwB7DZFPEvTABuk2lvk5Yx+y9sH6k8SZvPNdEt87PSoxdXquBNkcZN1R3ltHI+vL1MYc+SAue8VObuO7/dJ1T6cWDdrABXi5I231Dx7at9LuwZAMR5KxjgJJQmEDehx5spuWNVQ9YI/pkuT6kI4dxaPflJN3avjCIl2QUEyMJrd0Xc9NctUfC6EJZH6IDOFxpTn71ZChCXLYSQN30lh81PwGor9cR3BsCyI6DPtGGedkHA2igrtToSB1YeROepi7FR0gFbGhr6H++iAgpiVxcRwV+lfIqQSEiAee+lU4OlK8wYmfqrVIzRepq4UAQziHOeCBBxsNDM92pBtWjrwXBZ/pSWlz7UlH8AfcKbGZsr31x/hOujnSQzK//EpU0SjUR5cnIBBmN2gZJf0gN+NAGLyBQ41YvH/4iZVvz45R/i/2NZqkbazOuUsNNel3k9s=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967888898F95CE08C7FE585D89DEAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 989d184a-f73c-47f1-a7a5-08de2d0c3425
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2025 16:52:37.0533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hjg3JMDCAIagIIMilQVWeZHTfLik/8+7jAKCVwPrIkjYNFScFv23I6Nze/BS8TDVWkifD+M9O3JFkrzHLDD3slzhQPm79YrNhiwcQzHiEbo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR07MB6748
Message-ID-Hash: HQH2GT3GU6ZYRGI2UIL23LMGVDHV655N
X-Message-ID-Hash: HQH2GT3GU6ZYRGI2UIL23LMGVDHV655N
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-tls-mlkem@ietf.org" <draft-ietf-tls-mlkem@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_ZOznwiQiTkIWTbZi9Mpb2hp-XY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

If TLS intends to use hybrids long-term, a very conservative option would be ML-KEM+HQC-KEM. The ECC component of today’s PQ/T hybrids like X25519MLKEM768 will not provide any security once/if CRCQs become practical. ML-KEM+HQC-KEM offers significantly better performance than Classic McEliece and FrodoKEM for ephemeral key exchange, relies on two fundamentally different cryptographic assumptions (lattice and code).

Whether unstructured FrodoKEM or the two structured schemes in ML-KEM + HQC-KEM are more likely to face future theoretical cryptanalysis is debatable, but I believe ML-KEM+HQC-KEM is less likely to suffer from fatal implementation issues.

https://csrc.nist.gov/csrc/media/Events/2025/workshop-on-guidance-for-kems/documents/papers/ml-kem-is-great-paper.pdf
https://csrc.nist.gov/csrc/media/Presentations/2025/ml-kem-is-great/images-media/ml-kem-is-great.pdf

Cheers,
John Preuß Mattsson

From: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Date: Tuesday, 25 November 2025 at 14:21
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>
Cc: draft-ietf-tls-mlkem@ietf.org <draft-ietf-tls-mlkem@ietf.org>, tls-chairs@ietf.org <tls-chairs@ietf.org>, tls@ietf.org <tls@ietf.org>
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Simon Josefsson wrote:
>non-NIST/MLKEM hybrid PQ KEM for TLS. FrodoKEM? Streamlined NTRU Prime? We need more hybrid PQ options.

This makes absolutely no sense. Is Kyber (mostly developed by European cryptographers) suddenly bad just because NIST think it is good? Would you stop using NTRU Prime if it was standardized by NIST?

Adding more structured lattice-based cryptography such as NTRU Prime does not add much value. Agree that registering TLS code-points for FrodoKEM from a non-paywalled specification should be done.

>BSI recommends FrodoKEM and Classic McEliece, presumably leading to that high-value
attack targets in Germany uses them.  To me, those count as strong examples of external vetting.

Is ANSSI writing that Classic McEliece is not recommended also a strong example of external vetting?

>I think it may be that is actually EASIER to add another algorithm with similar characteristics as MLKEM, such as Streamlined NTRU Prime or FrodoKEM, because implementers will already have resolved those similar concerns (buffer sizes, protocol limits, API concerns etc).

FrodoKEM does not have similar characteristics to ML-KEM at all. ML-KEM have one order of magnitude smaller public keys/encapsulations and two orders of magnitude better performance.

I think HQC-KEM is the only reasonable algorithm for TLS WG to add as a backup to ML-KEM. It is code-based and has performance properties so that it could be used widely instead of ML-KEM.

Cheers,
John


From: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Date: Monday, 24 November 2025 at 20:05
To: Eric Rescorla <ekr@rtfm.com>
Cc: draft-ietf-tls-mlkem@ietf.org <draft-ietf-tls-mlkem@ietf.org>, tls-chairs@ietf.org <tls-chairs@ietf.org>, tls@ietf.org <tls@ietf.org>
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Eric Rescorla <ekr@rtfm.com> writes:

> On Mon, Nov 24, 2025 at 7:14 AM Simon Josefsson <simon=
> 40josefsson.org@dmarc.ietf.org> wrote:
>
>> We are having trouble getting safe hybrid PQ solutions published.  Until
>> we have a couple of widely deployed hybrid PQ KEMs published,
>> implemented and deployed, I don't think we should fragment the already
>> thin resources we have to reach that goal by spending further cycles on,
>> and then publish a fragile solutions like this.  Please prioritize a
>> non-NIST/MLKEM hybrid PQ KEM for TLS.  FrodoKEM?  Streamlined NTRU
>> Prime?  We need more hybrid PQ options.
>>
>
> Why? The general deployed pattern in TLS is to have a small number of
> dominant algorithms and we already have X25519+MLKEM widely deployed.
> Given that any particular connection can only be protected with a single
> algorithm, it's not clear to me how the world is improved by having multiple
> algorithms with roughly the same performance properties.

Historically, I believe we have been helped by having multiple security
options available to jump between when new security problems are
published.  We don't know the nature of future security problems,
therefor hedging by having a couple of alternatives readily available
may help.  There is a cost to that, but I think it is small price
compared to the risks involved.

> I could see some argument for having some algorithm with significantly
> different performance/security tradeoff (though as I understand it there are
> some practical challenges to adding Classic McEliece), but that doesn't
> seem to be what you're suggesting here.

I'm asking for that too, Classic McEliece can be another alternative.
Given that ML-KEM has a PQ KEM monopoly here, I think almost anything we
can add will be an improvement.

I think it may be that is actually EASIER to add another algorithm with
similar characteristics as MLKEM, such as Streamlined NTRU Prime or
FrodoKEM, because implementers will already have resolved those similar
concerns (buffer sizes, protocol limits, API concerns etc).  That's why
I picked those two.  I would like to have Classic McEliece too, because
for some non-web TLS applications, it offers better properties than the
others.  From a security hedging point of view, I agree adding something
widely different make more sense (like Classic McEliece), but I don't
see these as an either-or situation.

> More generally I am opposed to the IETF publishing any algorithm
> specification
> for TLS which has not been externally vetted. That could mean standardized
> elsewhere or sign-off by CFRG, but the TLS WG should not just be picking
> up algorithms without external review and adding them to TLS.

What do you mean by 'externally vetted'?  Who to judge the quality of
the external vetter?  OpenSSH uses Streamlined NTRU Prime for many
years, and SSH traffic is a high-value attack target.  BSI recommends
FrodoKEM and Classic McEliece, presumably leading to that high-value
attack targets in Germany uses them.  To me, those count as strong
examples of external vetting.

What I often see is a request like yours is pretty much the same as
saying that nobody except NIST have the resources to evaluate crypto
algorithms, and that we should trust them.  I think that is as unwise as
only trusting BSI or OpenSSH.

/Simon

v2.37.1 | Report a Bug | By Email | System Status