[MLS] review and editorial notes on draft-ietf-mls-combiner-02
Carlos Aguilar Melchor <carlos.aguilar.1998@polytechnique.org> Fri, 12 December 2025 16:16 UTC
Return-Path: <carlos.aguilar.1998@polytechnique.org>
X-Original-To: mls@mail2.ietf.org
Delivered-To: mls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B591499AEB0E for <mls@mail2.ietf.org>; Fri, 12 Dec 2025 08:16:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=polytechnique.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zidXeMd_KgN4 for <mls@mail2.ietf.org>; Fri, 12 Dec 2025 08:16:26 -0800 (PST)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5C23999AEAED for <mls@ietf.org>; Fri, 12 Dec 2025 08:16:19 -0800 (PST)
Received: by mail-pj1-x102b.google.com with SMTP id 98e67ed59e1d1-3438d4ae152so1569582a91.1 for <mls@ietf.org>; Fri, 12 Dec 2025 08:16:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=polytechnique.org; s=gapps; t=1765556179; x=1766160979; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=gUuRtuVY+Y8c2KWqk1+8Cky41CAp89ImMVhB/1peINg=; b=jLqAaesiwv34Wcd9ZXtQ1rda+Gr7f1s8gdVmdi89Hlot8cgaSKq3244qvkDlWBxoXX pK8RW7CGyQvCJ0pzpJlqhLyPQKBU/Bg/49pGI8pF0zNZ/GGoH1bmUhKWR1onxVDZKWWJ g1zWZdyM6kXd8tBp0pTmFgyAGTky6FWIaPoaU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765556179; x=1766160979; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gUuRtuVY+Y8c2KWqk1+8Cky41CAp89ImMVhB/1peINg=; b=YC+NX7ST2+ObbOPyJaDMc/didT2bPfks2Tdkab9PZixKNWcr50e8a3lFobrgtGUMl9 sHoLZ46U/qN4kCljS+5Ssgv9vqlRnIkfiqrJL2uk2cv73fCEyG3HtIDJi7var+nN/46l 5UvbKNQMOlaxqIuTOukjwgrtke3EFQwjQ8cGtF3MuRBvriqJlTrFQOFsGY/Po55hd6wr Et8tq4WtwCnZupXHl3R/SN4RtK8uniMqhfaGeR3ZnarbtfdRHLJ2tZY6/q/oqJ1jcrWg Rt+QkJMHNhfB1e1LSOlNNIcmWi+z0AyBFiQoB/zQOlegB9TldWz3HzsWhjr2L61myY4b wy3w==
X-Gm-Message-State: AOJu0Yw4r8BVHKnuyECxS4Mz6jAoNSJHGu+UDfH+QADKhYa2QUk0u1sA zdDoJSvVocEN/eqyDdFo2WOpEOmfR3tj3lwD0FTBJdlIQvks/rDb9ksflnj+ufWbnylLsWvIuwb ga/9mFQd2hyZ4E/TZSrvQdA48UAgyz5LD1N5y7HJl3Wi0F3I6G3ybqdw=
X-Gm-Gg: AY/fxX7sydONKsQBuXEVjv6Diw5ICz0uFvuSBKbyQf10gP55PMfU3VpNZLcxREY7c5v 7MT/7Z6Xhe3ZqA+YYMH6QQ7jxipSLom9l27u0Tp9M3Im6gDshGzatFlXkp01mFwqv5qfaWRclpZ XrGp/zEcXlwDy21jsDe41HKvbsr/PpGVxy6f+eo++nVHZ5f5mX8W89RJN3Jj+yCQte/J7M7+SjU kV6CZwWzyZ4vdIEsIl6q7MaBBPYF3Nkw3znHmkM0SM5fUBHeCCw2rHkcWzC1sFR1cLRPwD7ltMV dW3YP5djT4d0DS0AS2Mj67B5a5+0
X-Google-Smtp-Source: AGHT+IH0XyQbBAwOdI/CdXNJWrH728gKDaUUd0ETDtot3czLwH2uZxJP5zywgMlutpuVWbxD3Mhdf3AgRK/kcBHnBrQ=
X-Received: by 2002:a17:90b:5646:b0:34a:b4a2:f0aa with SMTP id 98e67ed59e1d1-34abe49fda7mr1877480a91.31.1765556178907; Fri, 12 Dec 2025 08:16:18 -0800 (PST)
MIME-Version: 1.0
From: Carlos Aguilar Melchor <carlos.aguilar.1998@polytechnique.org>
X-Gm-Features: AQt7F2rfENM8J2EVc4k9fV4k4PhkSQBSuju-5DAe1l0tsNsst3vOYh5zIVrTlVA
Message-ID: <CAMYged=DcGxzPxT8qH4GCFouLkK2khM6R2=Uq6OQJMC7pXydEw@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e003280645c394f9"
X-MailFrom: carlos.aguilar.1998@polytechnique.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-mls.ietf.org-0
Message-ID-Hash: XKDUTMRSFUIMYCQUFDXLD3TLETS7QJ27
X-Message-ID-Hash: XKDUTMRSFUIMYCQUFDXLD3TLETS7QJ27
X-Mailman-Approved-At: Fri, 19 Dec 2025 07:58:54 -0800
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [MLS] review and editorial notes on draft-ietf-mls-combiner-02
List-Id: Messaging Layer Security <mls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Qnkrjke-XQ3c0sQCJW8bWRDPl-0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Owner: <mailto:mls-owner@ietf.org>
List-Post: <mailto:mls@ietf.org>
List-Subscribe: <mailto:mls-join@ietf.org>
List-Unsubscribe: <mailto:mls-leave@ietf.org>
Date: Fri, 12 Dec 2025 17:24:05 -0000
X-Original-Date: Fri, 12 Dec 2025 17:16:08 +0100
Hello all, I am writing to share some feedback on draft-ietf-mls-combiner-02. I have reviewed the document and have compiled some comments and a list of editorial nits/typos. As I am new to the IETF process, please excuse me if this format is not standard or if I am breaching any protocol norms. I am happy to learn the proper workflow for future contributions, so please let me know if I should handle this differently next time. General opinion: This is in my opinion a relevant contribution. Given that PQ KEMs (like ML-KEM/Kyber) and especially PQ Signatures (like ML-DSA/Dilithium or SLH-DSA/Sphincs+) are significantly larger than ECC, the "amortized" approach is a pragmatic engineering solution to a real-world bandwidth problem. The core idea of "seeding" PQ security into a traditional session via the Exporter Secret is sound in principle. It allows the high-frequency traffic to remain lightweight (classical) while periodically "ratcheting" the PQ security. Main technical comment: I find interesting the possibility noted in 9.1 "a single FULL Commit in PQ/T Confidentiality Only mode followed by PARTIAL Commits from that point onwards", and I think quite a few users may use it. However, at first I did not measure correctly the security consequences. One can easily think "I will have HNDL resistance, and then when CRQC will be closer to a reality I will deal with PQ-PCS by changing the periodicity of the FULL Commits". This is not true, once there has been a compromise, the attacker can start doing HNDL, so basically you delay the post-compromise decryption to the arrival of the CRQC. I think the security considerations section should make more explicit that assuming CRQC arrive one day, the PCS only delay the post-compromise attacks, instead of nullifying them, only PQ-PCS provides real post-compromise security, and that doing only one initial FULL commit results in a system that only resists to HNDL until the first compromise happens. Typos/nits: * APQInfo is sometimes named HPMLSInfo or HPQMLSInfo (some old naming?) * Broken formatting at the end of section 1 * adresses the the harvest -> remove one the * terms from from MLS -> remove one from * commmits -> remove one m * occuring -> occurring * parcipating -> participating * duplictate -> duplicate * enial-of-service -> denial-of-service * can be achieve -> can be achieved * such a option -> such an option Best, Carlos
- [MLS] review and editorial notes on draft-ietf-ml… Carlos Aguilar Melchor