Bernstein's Blog

Posted Dec 11, 2025 0:36 UTC (Thu) by rgmoore (✭ supporter ✭, #75)
In reply to: Bernstein's Blog by chris_se
Parent article: Disagreements over post-quantum encryption for TLS

I'd want this to be actively discouraged and the standard should indicate that it must be disabled by default unless configured otherwise.

It also needs some kind of protection against downgrade attacks. If you're going to officially discourage its use, there had better not be a way for an attacker to force people to use it in place of more trustworthy algorithms.