IETF Last Call Review of draft-ietf-tls-hybrid-design-14
review-ietf-tls-hybrid-design-14-opsdir-lc-chown-2025-08-13-00

Hi,

I have reviewed draft-ietf-tls-hybrid-design as part of the IETF Last Call
process.

The draft presents a framework for using multiple key exchange algorithms such
that should all but one of those multiple algorithms be defeated security is
still maintained.

The original motivation lay with the transition to post-quantum cryptography,
with the draft having been iterated since at least 2019. I agree that there is
good motivation for the draft, and producing a document capturing such
recommendations is time well spent.

General comments:

The document is well-written and clear to read, and about the right length for
its nature.

There are some points that have led me to say that nits remain.

1) I am a little puzzled that it is Informational, yet uses a lot of 2119
language, in particular several MUSTs. While I believe Informational documents
can do this, I think it's relatively rare to see.  Perhaps the status should be
reconsidered, or the use of such language.

2) I also note the document states that the term 'hybrid' is used in other
contexts, and could potentially cause confusion here.  I would agree that
'composite' would be a better term to use, but a rewrite to change that would
take time and effort.

3) The discussion around performance and latency tradeoffs of the additional
algorithms being blended is appropriate. The document could note more clearly
that the tolerance for lower performance / increased latency will depend on the
context and use case of the systems and the network involved.

4) In the backwards compatibility section, is it also possible that a client or
server may not be hybrid-aware, but two 'next generation' algorithms be in use,
with no traditional algorithm, or by definition does a 'widely deployed'
traditional algorithm have to be included?

Overall, the document is close to being ready to advance.

Tim