IETF Logo Mail Archive

[TLS] Re: New Liaison Statement, "Liaison communication to IETF regarding draft-ietf-tls-mlkem"

Russ Housley <housley@vigilsec.com> Tue, 07 April 2026 17:47 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4B120D799ECC for <tls@mail2.ietf.org>; Tue, 7 Apr 2026 10:47:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775584046; bh=Bu9nwowpwaxpYIIUQL0d0YmGFsmHukRp5ne4xwZ3QM8=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=hwc5bopprP1kV82mK38dGIJcmlGnq1JrpRmLqtiEdWQVmLmDxm85sxgbhxjzlKrOa Nh/nxlCAzouA5mtzOMOSdlzdYUSZ0FavgMZqE7cND8NTCU/e89zUPylYGv0viQQ1b4 ukz0DeKG+76lb3tv9qqOxb5kHJ/TxsTdMIwQ6Xww=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CoV0aK5qflam for <tls@mail2.ietf.org>; Tue, 7 Apr 2026 10:47:25 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DA5F6D799EC7 for <tls@ietf.org>; Tue, 7 Apr 2026 10:47:25 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id BB7461A0D33; Tue, 7 Apr 2026 13:47:25 -0400 (EDT)
Received: from smtpclient.apple (pool-96-255-71-95.washdc.fios.verizon.net [96.255.71.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id A2AB01A1D8F; Tue, 7 Apr 2026 13:47:25 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <cb54fa2b-2263-4b70-a23b-3d9dbbdff056@huitema.net>
Date: Tue, 07 Apr 2026 13:47:15 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C0F1A98A-E6FF-4259-B185-CE3371AAE7CC@vigilsec.com>
References: <59ADD91D-9A81-4DC5-A3B5-3D8C2747AB96@vigilsec.com> <3d933b83-2b0a-40ac-80b9-dd2cc15b4766@tu-dresden.de> <903E494F-9C92-45C9-ADB2-96456A88AF91@vigilsec.com> <dbf63a1c-f1e0-480e-90a5-67f74b661267@tu-dresden.de> <adQkkfDWpMYySub0@ubby> <60167faa-c4bd-4397-988d-8b226a73b705@tu-dresden.de> <adQ2C/gPwGutLSux@ubby> <5d3aba60-d52d-4408-a5a2-b1c8bd3a6c8d@tu-dresden.de> <adROgdd2QYDRIhDA@ubby> <b55845fe-024e-4dda-b8ce-0e6ba99ad5ea@tu-dresden.de> <adUclq83CGuH9YOM@ubby> <cb54fa2b-2263-4b70-a23b-3d9dbbdff056@huitema.net>
To: Christian Huitema <huitema@huitema.net>
X-Mailer: Apple Mail (2.3864.400.21)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=content-type:mime-version:subject:from:in-reply-to:date:cc:content-transfer-encoding:message-id:references:to; s=pair-202402141609; bh=vkxNGq5Y4DNO3o6RBsC4a2Szv2Os48t88uwdTfqMzYE=; b=tDAzrO43Etfjn3c9p4/55ma+PXjfOfz3lMxm0SfetYUZkqdl1+0/Vsfy1vgm36U8oXZ1R21+y7TqQSV3c8AMO04Aa2EjgftgFaFGlHlVwaVpp+eah4S3rUztxg/7IigE9TLWYC6ijGlNhpA4PtVnaXlCv+022DAOWJQpECP6EEsPWTDednsF6NonyPv8p0k2KgAGSOq3WICidrQiinLx1Pw6oXQrrySodZOyrpVcZBKaCPlhu4mwxLqXpayJd/AeVqCdYyyptaIn80GhvIMZVt4dPgcfpyDBfk1fsprWeA5wfAoUXnFbMTeFDUSwJfOGBqzfA2+fyYmZx3A6Ttg86A==
X-Scanned-By: mailmunge 3.09
Message-ID-Hash: OFW5D7FQBGLKFQLCE3AN7GPK6C5DGZBP
X-Message-ID-Hash: OFW5D7FQBGLKFQLCE3AN7GPK6C5DGZBP
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: New Liaison Statement, "Liaison communication to IETF regarding draft-ietf-tls-mlkem"
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-cIaynY6VQSlLyV0WiCPrrd0Ydg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Christian:

> On 4/7/2026 8:02 AM, Nico Williams wrote:
>> On Tue, Apr 07, 2026 at 11:59:45AM +0200, Muhammad Usama Sardar wrote:
>>> Thanks Nico for sharing your insights. I think this is useful discussion and
>>> might help us make some use case for pure ML-KEM.
>>> 
>>> To be on the same page, framing the problem for clean discussion. Could you
>>> please clarify which one of the following did you mean?
>>> 
>>>    Outer TLS: Network layer: use pure ML-KEM
>>> 
>>>    Inner TLS: Application layer: use ML-KEM + ECDHE
>> This one.  Remember, the two layers are effectively independent.  If you
>> want to protect against CRQCs your options will be pure PQ or hybrid PQ,
>> and here IEEE seems to want pure PQ while we seem to want hybrid PQ,
>> thus it's this picture above.
>> 
>> (Except the "outer TLS" is only for negotiation of keys.  The actual
>> packets are not encrypted using TLS but something else more akin to
>> DTLS.)
> 
> Link-layer encryption and transport layer encryption address different threats.
> 
> TLS protects the content of the exchange, but does not protect meta-data in IP, TCP or UDP headers. Link layer encryption is often touted as protecting all the data, but since it is removed when data is routed to another link, it is at best a partial protection, and a somewhat redundant one at that since most connections use some kind of end to end encryption. Logically, link layer encryption should focus on two functions: protect against collection meta data by listening to wireless transmission or by tapping optical fibers; and, provide access control and prevent third parties interfering with the network.
> 
> 
> Maybe we should use the liaison with IEEE to mention that we would be happy if link-layer encryption focused only on the first bytes of the message, covering IP and TCP/UDP headers, and link layer addresses too if that was possible. If they can devise something like that, reduce the cost of redundant encryption, and achieve better performance, they should do it!

I do not think these observations would surprise anyone ay IEEE 802.11.  The liaison statement says that they really want to use EAP-TLS with PQC algorithms.

Russ

v2.40.4 | Report a Bug | By Email | System Status