![](\"/user_uploads/2/2f/BeNzWbvia0Uj3NdpJKzOtYzB/image.png\")
Roman who?
", "time": "2024-03-22T03:03:09Z"}, {"author": "Eric Rescorla", "text": "Which is like 92 more RFCs than I did as AG
", "time": "2024-03-22T03:03:37Z"}, {"author": "Robert Moskowitz", "text": "Bravo!!!!
", "time": "2024-03-22T03:03:44Z"}, {"author": "Robert Moskowitz", "text": "clap!
", "time": "2024-03-22T03:04:24Z"}, {"author": "Dan Harkins", "text": "AG?
", "time": "2024-03-22T03:04:57Z"}, {"author": "Dan Harkins", "text": "Has Garland been replaced?
", "time": "2024-03-22T03:05:47Z"}, {"author": "Christian Huitema", "text": "EKR is thinking of the AD as someone prosecuting unruly WG participants, thus AG...
", "time": "2024-03-22T03:06:23Z"}, {"author": "Robert Moskowitz", "text": "You have to have the herding cats skill
", "time": "2024-03-22T03:09:02Z"}, {"author": "Deirdre Connolly", "text": "( \u0361\u00b0 \u1d25 \u0361\u00b0)
", "time": "2024-03-22T03:10:04Z"}, {"author": "Yoav Nir", "text": "For domain expertise you can rely on people in the group. People skills are more important.
", "time": "2024-03-22T03:12:55Z"}, {"author": "Yoav Nir", "text": "That said, a \"non-technical\" chair would still be considered an expert wherever they work.
", "time": "2024-03-22T03:13:30Z"}, {"author": "Orie Steele", "text": "I agree... in some cases, having domain expertise in a different area, is good enough, and enables a chair to simply focus on process.
", "time": "2024-03-22T03:13:59Z"}, {"author": "Jan-Frederik Rieckers", "text": "I see a different queue in the meetecho client than I see on the screen in the room.
", "time": "2024-03-22T03:14:08Z"}, {"author": "Robert Moskowitz", "text": "I took on chairing IPsec back in the day with Ted Tso having the domain expertise and I herded the cats. And dealt with the appeal. So been there, done that.
", "time": "2024-03-22T03:14:50Z"}, {"author": "Dan Harkins", "text": "Yes, people skills help run the group and let the group do the technical work.
", "time": "2024-03-22T03:14:51Z"}, {"author": "Lorenzo Miniero", "text": "@Jan-Frederik Rieckers the queue on the screen in the room only shows mic-line queues: Jonathan is in queue to share slides
", "time": "2024-03-22T03:15:53Z"}, {"author": "Jan-Frederik Rieckers", "text": "Ah. That's interesting.
", "time": "2024-03-22T03:16:19Z"}, {"author": "Justin Richer", "text": "the errata process is super broken and the tooling is awful, and I hope we can talk about this more this meeting
", "time": "2024-03-22T03:16:56Z"}, {"author": "Eric Rescorla", "text": "Justin Richer said:
\n\n", "time": "2024-03-22T03:17:32Z"}, {"author": "Eric Rescorla", "text": "the errata process is super broken and the tooling is awful, and I hope we can talk about this more this meeting
\n
https://datatracker.ietf.org/doc/draft-rescorla-rfc-jit/
", "time": "2024-03-22T03:17:34Z"}, {"author": "Eric Rescorla", "text": "And also https://datatracker.ietf.org/doc/draft-farrell-errata/
", "time": "2024-03-22T03:18:33Z"}, {"author": "Orie Steele", "text": "I won't object to seeing those videos shared on saag list
", "time": "2024-03-22T03:21:29Z"}, {"author": "Pieter Kasselman", "text": "WIMSE - Workload Identity in Multi-System Environments
", "time": "2024-03-22T03:22:43Z"}, {"author": "Orie Steele", "text": "https://datatracker.ietf.org/group/wimse/about/
", "time": "2024-03-22T03:23:26Z"}, {"author": "A.J. Stein", "text": "Can you call the readouts flights of WIMSE, @Justin Richer? (I'll see myself out.)
", "time": "2024-03-22T03:23:45Z"}, {"author": "Deirdre Connolly", "text": "++
", "time": "2024-03-22T03:24:28Z"}, {"author": "Eric Rescorla", "text": "Wes, Hoffman, are you actually in queue to talk
", "time": "2024-03-22T03:28:16Z"}, {"author": "Sean Turner", "text": "NOPE
", "time": "2024-03-22T03:28:34Z"}, {"author": "Robert Moskowitz", "text": "A button on wg/documents URL to see that the wg has errata. Then for each RFC similar...
", "time": "2024-03-22T03:32:27Z"}, {"author": "Eric Rescorla", "text": "My basic point is that errata ought to be PRs against the documents
", "time": "2024-03-22T03:32:51Z"}, {"author": "Eric Rescorla", "text": "And then when they are approved, the documents get updated.
", "time": "2024-03-22T03:33:09Z"}, {"author": "Martin Thomson", "text": "This is not a tooling problem. It's a people problem.
", "time": "2024-03-22T03:33:56Z"}, {"author": "Robert Moskowitz", "text": "But we don't update RFCs. We issue new RFCs that replace old ones. Unlike other SDOs.
", "time": "2024-03-22T03:34:01Z"}, {"author": "Eric Rescorla", "text": "actual diagram of flow chart:
", "time": "2024-03-22T03:34:28Z"}, {"author": "Eric Rescorla", "text": "\nSomeone did not do a threat model on the errata process, and left a big DDOA avenue unmitigated...
", "time": "2024-03-22T03:34:37Z"}, {"author": "Christian Huitema", "text": "DDOA =>DDOS
", "time": "2024-03-22T03:34:55Z"}, {"author": "Eric Rescorla", "text": "Robert Moskowitz said:
\n\n\nBut we don't update RFCs. We issue new RFCs that replace old ones. Unlike other SDOs.
\n
Yes, and that's the problem. We're discussing addressing htat in RSWG
", "time": "2024-03-22T03:34:55Z"}, {"author": "Robert Moskowitz", "text": "So rfc#.errate ver?
", "time": "2024-03-22T03:35:23Z"}, {"author": "Eric Rescorla", "text": "Robert Moskowitz said:
\n\n\nSo rfc#.errate ver?
\n
Or somethng
", "time": "2024-03-22T03:35:34Z"}, {"author": "Sean Turner", "text": "padding his stats that's what going on ;)
", "time": "2024-03-22T03:35:46Z"}, {"author": "Michael StJohns", "text": "Is this still live/useful? https://docs.google.com/spreadsheets/u/0/d/1nmuRTV0Fwx-p13AMSV5GMZP5QCn80K0T5Oht5d8Putw/htmlview#gid=133722335
", "time": "2024-03-22T03:38:11Z"}, {"author": "Martin Thomson", "text": "What about COSE and JOSE?
", "time": "2024-03-22T03:41:08Z"}, {"author": "Orie Steele", "text": "I'll answer
", "time": "2024-03-22T03:41:30Z"}, {"author": "Deirdre Connolly", "text": "Even a codepoint for ML-KEM-only for TLS will not be picked until FIPS 203 lands but that's in mere weeks*
", "time": "2024-03-22T03:42:42Z"}, {"author": "Orie Steele", "text": "I'm super supportive of the \"lets have a consistent experience\" for pq in IETF.
", "time": "2024-03-22T03:43:16Z"}, {"author": "Deirdre Connolly", "text": ":+1:
", "time": "2024-03-22T03:44:03Z"}, {"author": "Robert Moskowitz", "text": "I just don't have the link bandwidth/capacity for any of this. A really big sigh, as it is just too big from links I MUST work over.
", "time": "2024-03-22T03:44:10Z"}, {"author": "Orie Steele", "text": "JOSE and COSE are not the place to do unique stuff... but we can't use protocol level hybrids, so... please lets not encourage protocol layer hybrids.
", "time": "2024-03-22T03:44:24Z"}, {"author": "Deirdre Connolly", "text": "correct; also using a KEM in NamedGroup currently doesn't have an RFC to build off of (hybrid-design is not landed yet)
", "time": "2024-03-22T03:44:45Z"}, {"author": "Eric Rescorla", "text": "@Orie Steele you mean you could use like X-Wing, but you can't do two keys?
", "time": "2024-03-22T03:44:54Z"}, {"author": "Dan Harkins", "text": "I'd rather not have an IETF fixed way of doing this. The tls pq only is super clean and should be done. Othe protocols might not be so clean.
", "time": "2024-03-22T03:45:04Z"}, {"author": "Eric Rescorla", "text": "@Sean Turner there are actually three levels, I think [Available but not standard or recommended, Standard/Recommended, MTI]
", "time": "2024-03-22T03:45:37Z"}, {"author": "Orie Steele", "text": "EKR, it depends on how the hybrid is context bound
", "time": "2024-03-22T03:45:44Z"}, {"author": "Orie Steele", "text": "ideally, JOSE and COSE can use the same hybrid that TLS or PGP uses...
", "time": "2024-03-22T03:46:22Z"}, {"author": "Sean Turner", "text": "@ekr yes you are correct
", "time": "2024-03-22T03:46:28Z"}, {"author": "Orie Steele", "text": "pure PQ stuff is not a problem for JOSE / COSE... its the hybrid stuff that is concerning,... and its only concerning for none HPKE kems.
", "time": "2024-03-22T03:47:01Z"}, {"author": "Yoav Nir", "text": "Just a few IETF meetings ago, a lot of people were thinking we didn't need hybrids at all
", "time": "2024-03-22T03:47:05Z"}, {"author": "Sean Turner", "text": "And the middle one has two states: Recommended=Y/N
", "time": "2024-03-22T03:47:11Z"}, {"author": "Justin Richer", "text": "@Orie Steele \"alg: hpke-none\"
", "time": "2024-03-22T03:48:39Z"}, {"author": "Mike Ounsworth", "text": "Process suggestion: there is actually a fairly small number of authors behind hybrid KEM drafts. Should chairs / ADs just makes sure that those people are coordinating?
", "time": "2024-03-22T03:48:48Z"}, {"author": "Dan Harkins", "text": "+1 to Deirdre
", "time": "2024-03-22T03:49:00Z"}, {"author": "Sean Turner", "text": "@Justin I made the point that we should prohibit alg+none ;)
", "time": "2024-03-22T03:49:12Z"}, {"author": "Justin Richer", "text": "@Sean Turner this is different though, it's hpke-flavored version of none!
", "time": "2024-03-22T03:49:34Z"}, {"author": "Deirdre Connolly", "text": "Not saying protocols, but adopters of protocols
", "time": "2024-03-22T03:49:38Z"}, {"author": "Jonathan Hoyland", "text": "Wait, Wireguard is broken?
", "time": "2024-03-22T03:49:45Z"}, {"author": "Jonathan Hoyland", "text": "Given there's no way to do kex negotiation
", "time": "2024-03-22T03:50:06Z"}, {"author": "Orie Steele", "text": "we could be fine with a few recommended hybrids, and it would be cool if all protocols could use the same ones.
", "time": "2024-03-22T03:50:28Z"}, {"author": "Deirdre Connolly", "text": "See the CFRG meeting recording for 'any PQ KEM' not being well settled
", "time": "2024-03-22T03:50:36Z"}, {"author": "Orie Steele", "text": "+1 to no ala-cart at protocol layer.
", "time": "2024-03-22T03:50:59Z"}, {"author": "Paul Wouters", "text": "IKEv2 also does this :P
", "time": "2024-03-22T03:51:42Z"}, {"author": "Deirdre Connolly", "text": "There are many IND-CCA KEMs that cannot be securely integrated into a higher-level protocol in the exact same way (unless that way is 'hash in everything always' but many protocols don't like that / it's too expensive)
", "time": "2024-03-22T03:51:43Z"}, {"author": "Michael Prorock", "text": "hybrids are a \"here be dragons\" type problem if we are not careful here
", "time": "2024-03-22T03:51:43Z"}, {"author": "Tirumaleswar Reddy.K", "text": "Hybrid usage as it is done in TLS will have different security properties in JOSE/COSE and they will have to rely on X-Wing or some other KEM-combiner function that binds the public keys and cipher text to the derived shared secret.
", "time": "2024-03-22T03:52:14Z"}, {"author": "Michael Prorock", "text": "i am concerned re \"move quickly\" and cryptography
", "time": "2024-03-22T03:53:29Z"}, {"author": "Martin Thomson", "text": "For a la carte combiners, if we have no disagreement, then we might be able to write something down that has consensus...
", "time": "2024-03-22T03:53:32Z"}, {"author": "Orie Steele", "text": "^ +1
", "time": "2024-03-22T03:53:59Z"}, {"author": "Sean Turner", "text": "but how to we have the \"beauty contest\"
", "time": "2024-03-22T03:54:07Z"}, {"author": "Jonathan Lennox", "text": "Isn\u2019t \u201cthe ADs force a bunch of authors to work together\u201d called a working group?
", "time": "2024-03-22T03:54:22Z"}, {"author": "Martin Thomson", "text": "we'll have plenty of beauty contests to run Sean
", "time": "2024-03-22T03:54:31Z"}, {"author": "Martin Thomson", "text": "In that case, stay with hybrid.
", "time": "2024-03-22T03:55:00Z"}, {"author": "Martin Thomson", "text": "That said, if you aren't updating your software, and the node is exposed to a network, that node is not secure.
", "time": "2024-03-22T03:55:29Z"}, {"author": "Rich Salz", "text": "Or, don't deploy until you feel the industry thinks the PQ is \"safe\"
", "time": "2024-03-22T03:55:32Z"}, {"author": "Mike Ounsworth", "text": "Michael Prorock said:
\n\n\ni am concerned re \"move quickly\" and cryptography
\n
Hi. Have you seen CNSA 2.0?
", "time": "2024-03-22T03:55:36Z"}, {"author": "Yoav Nir", "text": "Jonathan Lennox said:
\n\n\nIsn\u2019t \u201cthe ADs force a bunch of authors to work together\u201d called a working group?
\n
It's called a directorate
", "time": "2024-03-22T03:55:46Z"}, {"author": "Deb Cooley", "text": "not every system or every protocol can bear the burden of hybrid - performance, bandwidth, etc.
", "time": "2024-03-22T03:55:48Z"}, {"author": "Orie Steele", "text": "agree.
", "time": "2024-03-22T03:56:05Z"}, {"author": "Michael Prorock", "text": "+1
", "time": "2024-03-22T03:56:16Z"}, {"author": "Robert Moskowitz", "text": "I keep hearing that aviation will be able to solve this when we have affordable Sat Internet covering the whole world.
", "time": "2024-03-22T03:56:25Z"}, {"author": "Orie Steele", "text": "I prefer Pure before Hybrid... as general approach to PQ transition.
", "time": "2024-03-22T03:56:28Z"}, {"author": "Michael Prorock", "text": "Pure I am good with as a starting place
", "time": "2024-03-22T03:56:36Z"}, {"author": "Michael Prorock", "text": "(and prefer generally)
", "time": "2024-03-22T03:56:43Z"}, {"author": "Robert Moskowitz", "text": "Scary stuff.
", "time": "2024-03-22T03:57:46Z"}, {"author": "Martin Thomson", "text": "I don't understand the constrained node arguments. I thought that the number of bytes was the primary source of cose, not the amount of computation.
", "time": "2024-03-22T03:58:05Z"}, {"author": "Rich Salz", "text": "@Michael, how can you be okay with pure-pq and also be concerned with the speed of the work? Honest question.
", "time": "2024-03-22T03:58:16Z"}, {"author": "Robert Moskowitz", "text": "The difference between theory and practice is what?
", "time": "2024-03-22T03:58:23Z"}, {"author": "Deirdre Connolly", "text": "++ Deb
", "time": "2024-03-22T03:58:45Z"}, {"author": "Jonathan Lennox", "text": "Orie: are you as confident in ML-KEM as X25519 against a classical attacker?
", "time": "2024-03-22T03:58:48Z"}, {"author": "A.J. Stein", "text": "10-15 years in government/military? Now that's lightspeed! (I wish I wasn't only half-kidding.)
", "time": "2024-03-22T03:58:55Z"}, {"author": "Robert Moskowitz", "text": "Aviation talks about 25+ years for a transition.
", "time": "2024-03-22T03:58:59Z"}, {"author": "Yoav Nir", "text": "The transition from RSA to ECDSA (or EDDSA) is still ongoing, 20 years later.
", "time": "2024-03-22T03:59:06Z"}, {"author": "Michael Prorock", "text": "@rich - I am not saying we standardize immediately on pure - saying that that is a good start and we beat it up real good as a starting place
", "time": "2024-03-22T03:59:13Z"}, {"author": "Orie Steele", "text": "MT, I don't think its hard to do hybrids in cose, its just not a good idea to do them in a way that is unique to COSE, or do it before enabling pure PQ first.
", "time": "2024-03-22T03:59:20Z"}, {"author": "Eric Rescorla", "text": "The performance cost of the hybrid KEM is verys mall
", "time": "2024-03-22T03:59:20Z"}, {"author": "Ran Atkinson", "text": "It isn't just DoD which has transition challenges -- realistically it is any large organization/company.
", "time": "2024-03-22T03:59:25Z"}, {"author": "Eric Rescorla", "text": "Even the bandwidth isn't that big
", "time": "2024-03-22T03:59:29Z"}, {"author": "Christian Huitema", "text": "\"I am retired, I don't do this anymore.\" Funny, I heard that before...
", "time": "2024-03-22T03:59:45Z"}, {"author": "Deb Cooley", "text": "that depends on the system you are on.
", "time": "2024-03-22T03:59:46Z"}, {"author": "Deirdre Connolly", "text": "More than 800 bytes
", "time": "2024-03-22T03:59:49Z"}, {"author": "Martin Thomson", "text": "Hybrid signatures are far less needed than hybrid KEMs.
", "time": "2024-03-22T04:00:25Z"}, {"author": "Deirdre Connolly", "text": "Hybrid sigs are big because ML-DSA / SHS / Falcon are big
", "time": "2024-03-22T04:00:28Z"}, {"author": "Sean Turner", "text": "Agree with MT
", "time": "2024-03-22T04:00:36Z"}, {"author": "Andrew Fregly", "text": "Suppos Mayo is an approved algorithm.
", "time": "2024-03-22T04:00:40Z"}, {"author": "David Benjamin", "text": "And similarly low cost to do the hybrid portion.
", "time": "2024-03-22T04:00:44Z"}, {"author": "Robert Moskowitz", "text": "I can JUST support those 64 bytes.
", "time": "2024-03-22T04:00:56Z"}, {"author": "Deirdre Connolly", "text": "Long term signatures yes, short term signatures... we might be able to wait longer
", "time": "2024-03-22T04:01:04Z"}, {"author": "Orie Steele", "text": "@Jonathan Lennox re confidence in hybrids, I don't think its worth registering code points for any hybrids, if you already don't trust the component enough to use it standalone... and its easy to register code points for both.
", "time": "2024-03-22T04:01:04Z"}, {"author": "Eric Rescorla", "text": "I think the point Scott is making is that Hybrid isn't much bigger than PQ
", "time": "2024-03-22T04:01:05Z"}, {"author": "Dan Harkins", "text": "Bandwidth is not the issue
", "time": "2024-03-22T04:01:23Z"}, {"author": "Sean Turner", "text": "@Christian :rolling_on_the_floor_laughing:
", "time": "2024-03-22T04:01:26Z"}, {"author": "Robert Moskowitz", "text": "For me this is a fun, non-real education.
", "time": "2024-03-22T04:01:48Z"}, {"author": "Martin Thomson", "text": "Dan: bandwidth is what concerns me most
", "time": "2024-03-22T04:01:49Z"}, {"author": "Andrew Fregly", "text": "Memory, CPU and transport are issues depending on the protocol.
", "time": "2024-03-22T04:02:05Z"}, {"author": "Jonathan Lennox", "text": "I thought the whole point of hybrid was due to lack of confidence in the PQ algorithm security, because they\u2019re young
", "time": "2024-03-22T04:02:15Z"}, {"author": "Martin Thomson", "text": "not the 32 bytes, the 1k bytes
", "time": "2024-03-22T04:02:19Z"}, {"author": "A.J. Stein", "text": "I feel we lost track of the point on ekr's slide, these points and counter-points on the queue and chat confirm a majority agree we cannot do any either of those assumption options, am I wrong?
", "time": "2024-03-22T04:02:22Z"}, {"author": "Jonathan Lennox", "text": "(Algorithm or implementation)
", "time": "2024-03-22T04:02:48Z"}, {"author": "Deirdre Connolly", "text": "The size of hybrid is not so much a distinguisher against PQ-only, it's the complexity and eventual further migration off hybrid (TLS hybrid key agreement is not complex, hybrid signatures can be)
", "time": "2024-03-22T04:02:49Z"}, {"author": "Yoav Nir", "text": "Jonathan Lennox said:
\n\n\nI thought the whole point of hybrid was due to lack of confidence in the PQ algorithm security, because they\u2019re young
\n
By the time we go through the IETF process, they won't be young anymore
", "time": "2024-03-22T04:02:55Z"}, {"author": "Robert Moskowitz", "text": "Yes, the 1K bytes in a 250byte MTU and then needing FEC when need to span multiple frames.
", "time": "2024-03-22T04:03:21Z"}, {"author": "Orie Steele", "text": "EKR's first 2 bullet points, we should be able to get consensus on... do both... you won't see consensus to just do hybrids.. mic drop.
", "time": "2024-03-22T04:03:35Z"}, {"author": "Dan Harkins", "text": "@Martin, that's the big pole on the tent. So for the hybrid or pq-only argument, bandwidth doesn't matter.
", "time": "2024-03-22T04:03:42Z"}, {"author": "Martin Thomson", "text": "dan: exactly my point :)
", "time": "2024-03-22T04:03:59Z"}, {"author": "Deirdre Connolly", "text": "Kyber was introduced in 2017, 7 years ago
", "time": "2024-03-22T04:04:03Z"}, {"author": "Yoav Nir", "text": "Robert Moskowitz said:
\n\n\nYes, the 1K bytes in a 250byte MTU and then needing FEC when need to span multiple frames.
\n
Even under those conditions, 1024 bytes vs 1056 bytes is not that big a deal.
", "time": "2024-03-22T04:04:09Z"}, {"author": "Andrew Fregly", "text": "I hear your pain Robert. Three signatures on an NSEC3 response is too much for UDP transport
", "time": "2024-03-22T04:04:11Z"}, {"author": "Deirdre Connolly", "text": "Based on years of LWE and other lattice work before that
", "time": "2024-03-22T04:04:20Z"}, {"author": "Robert Moskowitz", "text": "Yes, not a big deal. Both don't fit.
", "time": "2024-03-22T04:04:35Z"}, {"author": "John Gray", "text": "I showed some slides at lamps showing the size comparison of PQ+classic signatures. For these hybrid Certs it was between 160 bytes to 810 bytes.
", "time": "2024-03-22T04:05:08Z"}, {"author": "Sean Turner", "text": "There's a farewell reception later ... let's continue there with booze!
", "time": "2024-03-22T04:05:23Z"}, {"author": "A.J. Stein", "text": "Orie Steele said:
\n\n\nEKR's first 2 bullet points, we should be able to get consensus on... do both... you won't see consensus to just do hybrids.. mic drop.
\n
I think I misunderstood some of the feedback I thought some queue comments were saying standardizing one or both wasn't practical for all protocols and contexts (outside of TLS), but it seems I misinterpreted.
", "time": "2024-03-22T04:05:45Z"}, {"author": "Martin Thomson", "text": "When that day comes, we can talk about removing cruft. But that is still science fiction.
", "time": "2024-03-22T04:06:21Z"}, {"author": "Deb Cooley", "text": "complexity of the implementation is the other concern of hybrid.
", "time": "2024-03-22T04:06:32Z"}, {"author": "Jonathan Lennox", "text": "I guess it\u2019s the philosophical difference between \u201cthis is too big, so a little bit more doesn\u2019t matter\u201d vs. \u201cthis is too big, so let\u2019s squeeze it smaller wherever we can\u201d
", "time": "2024-03-22T04:06:44Z"}, {"author": "Tadahiko Ito", "text": "I believe it is more reasonable to develop capability of switching signature algorithm, instead of implement PQC signature now.
", "time": "2024-03-22T04:06:48Z"}, {"author": "Deb Cooley", "text": "How many pristine implementations are there now?
", "time": "2024-03-22T04:06:53Z"}, {"author": "Deb Cooley", "text": "none.
", "time": "2024-03-22T04:06:56Z"}, {"author": "Deirdre Connolly", "text": "Not science fiction
", "time": "2024-03-22T04:06:57Z"}, {"author": "Eric Rescorla", "text": "The implementation complexity only goes away when the hybrid is removed.
", "time": "2024-03-22T04:07:01Z"}, {"author": "Deirdre Connolly", "text": "2030s
", "time": "2024-03-22T04:07:03Z"}, {"author": "Orie Steele", "text": "i just want us to pick one... either register pq and then hybrid, or just register hybrid.
", "time": "2024-03-22T04:07:06Z"}, {"author": "Deb Cooley", "text": "@ekr: exactly.
", "time": "2024-03-22T04:07:15Z"}, {"author": "Deb Cooley", "text": "just implement one algorithm.
", "time": "2024-03-22T04:07:23Z"}, {"author": "David Benjamin", "text": "We're not actually wasting a ton of energy. It'll be a waste, sure, but it's relatively small. It won't be the first small waste we do in the name of compatibility, and it won't be the last.
", "time": "2024-03-22T04:07:29Z"}, {"author": "John Gray", "text": "To add to that, as Mike said, it was between 3-4% extra overhead for EC based Hybrid signatures in Certs and 13-14% for RSA based hybrids.
", "time": "2024-03-22T04:08:28Z"}, {"author": "Deirdre Connolly", "text": ":+1: paul
", "time": "2024-03-22T04:09:04Z"}, {"author": "Orie Steele", "text": "+1 paul
", "time": "2024-03-22T04:09:22Z"}, {"author": "Eric Rescorla", "text": "MD5 is almost as great as FNV-1a
", "time": "2024-03-22T04:10:22Z"}, {"author": "Martin Thomson", "text": "y u no DIAMETER?
", "time": "2024-03-22T04:10:25Z"}, {"author": "Deirdre Connolly", "text": ":wave:
", "time": "2024-03-22T04:11:07Z"}, {"author": "John Gray", "text": "I don't know why every one says hybrid signatures is so complicated. At least for composites signatures its essentially a for loop and some extra hash. I've implemented it and its not hard, our hackathon team implement it in a day.
", "time": "2024-03-22T04:11:43Z"}]