On Fri, 11 Jul 2025 22:31:18 +0000 "Blumenthal, Uri - 0553 - MITLL" <uri@xxxxxxxxxx> wrote: > While SLH-DSA may be more secure than ML-DSA, performance and > signature size would make it prohibitive for dynamic authentication > for many use cases. > > As to how much security you need – for the vast majority of users > ML-DSA is plenty secure “enough”. To the point that US and German > governments (probably, among others – I didn’t bother to check) > decided to bet their security on it. There is a pretty significant community of users and developers (oftentimes people involved with projects like Kicksecure, Whonix, and Qubes OS, all of which I either contribute to or am paid to work on) where "secure enough for the government" is not secure enough. Many of those people work in situations where paranoid-level security mesures are warranted, and for those people I feel having SLH-DSA would be reasonable. Performance isn't a high priority in a lot of these situations. -- Aaron
Attachment:
pgp7b8gPcN5uO.pgp
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
