Non-EC MTI Algorithm

[stpeter]

In his ArtArt review, Cullen Jennings wrote:

Given the requirements for crypto agility, I think this there should be at
least one MTI algorithm that does not rely on EC. Pinning all your hopes on a
single algorithm surely is not the best security advice the IETF can provide.
If a EC did have a problem, clearly we would want something already build and
deployed that we could switch too.

I think the authors neglected to discuss this issue when we were working on -10.

[thomas-fossati]

I don't think there's anything left (in usable state) for 1.2: DHE negotiation is broken and static RSA is out of the question.

[stpeter]

Replied on list: https://mailarchive.ietf.org/arch/msg/uta/OpNZryOHzpddbiGEziy8BQ1iXio/

[stpeter]

List discussion seems to be leading in the direction of not adding a non-EC cipher suite.

[stpeter]

As far as I can see based on further list discussion, no new text is needed. I will wait another ~24 hours before closing this issue.