"Salz, Rich" <rsalz=40akamai.com%dmarc.ietf.org@localhost> writes: > Nice to hear from you Mark! > >> I personally believe that using the @openssh.com extension is > sufficient until final NIST candidate parameters are published. > > Okay, if that works, then that makes sense :) It doesn't work -- sntrup761 is used widely on the Internet today and will continue to be used. What decision could NIST make that would affect anything for sntrup761x25519-sha512? The algorithm has been stable since 2017. Deferring publication of protocol specifications until some external organization has made some unrelated decision is an active decision that is harmful to Internet security, in my opinion. Organization will continue to harvest data that will be decrypted in the future, and this is contrary to the goals of the IETF. It is similar to say that we shouldn't have published Curve25519 because it wasn't published by NIST. Or ChaCha20. Or TLS 1.3. Or OpenPGP. Or just about anything that the IETF has ever published. /Simon
Attachment:
signature.asc
Description: PGP signature