IETF Logo Mail Archive

[TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM

"Kaduk, Ben" <bkaduk@akamai.com> Tue, 04 November 2025 21:17 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 74C1F82F0C08 for <tls@mail2.ietf.org>; Tue, 4 Nov 2025 13:17:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LlIIgs_JrzQN for <tls@mail2.ietf.org>; Tue, 4 Nov 2025 13:17:31 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [67.231.149.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8221182F0ACD for <tls@ietf.org>; Tue, 4 Nov 2025 13:17:26 -0800 (PST)
Received: from pps.filterd (m0409409.ppops.net [127.0.0.1]) by m0409409.ppops.net-00190b01. (8.18.1.11/8.18.1.11) with ESMTP id 5A4Dm8Gt956415; Tue, 4 Nov 2025 21:17:25 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=jan2016.eng; bh=EoHdtTF9zxktNx+gPKct/S RAew/nj/YLRX4/cA1DOqs=; b=ioEf2oHuhYLP94qx9E0NILeoVzUWg112zq0lcD PkkbJdAiPb9getiecthYC4qZe89kq06v8s2QLsMGibR1yT+6tjr2qGWmPFgmxtCY oq6WVpfIHhrFFCWdXI2J9nXCRImtJnFPVaQ8pxyRx49g5ddQv7cvR6GjKFamPoqF EiJKPm51ab8ZcE57iiNVW84i9oh8/lJCac0sTeTTNVmNRzh+w5rUgxCyAKtT8p2i GyBWEwfTMEyP4hneBZKHcnTNg5lnW9JM+yziEzwlA2cJkYdIoumuC0WELoXnTi09 uoEbfEyY9CpaDHpwE+Gox6UxI2/oEnaAvoXSM69e8Mz0aRrA==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60]) by m0409409.ppops.net-00190b01. (PPS) with ESMTPS id 4a7drtbkes-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 04 Nov 2025 21:17:25 +0000 (GMT)
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.18.1.2/8.18.1.2) with ESMTP id 5A4H5SRu014615; Tue, 4 Nov 2025 13:17:24 -0800
Received: from email.msg.corp.akamai.com ([172.27.91.41]) by prod-mail-ppoint5.akamai.com (PPS) with ESMTPS id 4a5g68nf4f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 04 Nov 2025 13:17:24 -0800
Received: from usma1ex-dag4mb7.msg.corp.akamai.com (172.27.91.26) by usma1ex-dag5mb2.msg.corp.akamai.com (172.27.91.41) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27; Tue, 4 Nov 2025 13:17:23 -0800
Received: from usma1ex-dag4mb2.msg.corp.akamai.com (172.27.91.21) by usma1ex-dag4mb7.msg.corp.akamai.com (172.27.91.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27; Tue, 4 Nov 2025 16:17:23 -0500
Received: from usma1ex-dag4mb2.msg.corp.akamai.com ([172.27.91.21]) by usma1ex-dag4mb2.msg.corp.akamai.com ([172.27.91.21]) with mapi id 15.02.2562.027; Tue, 4 Nov 2025 16:17:23 -0500
From: "Kaduk, Ben" <bkaduk@akamai.com>
To: Joseph Salowey <joe@salowey.net>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Working group last call for the deprecation experimental code points in ECDHE-ML-KEM
Thread-Index: AQHcTcWXDyzj0ZxbJEixLzawfFn8ebTjBTX9
Date: Tue, 04 Nov 2025 21:17:23 +0000
Message-ID: <a3d6d651dbcb4e06b4d407d3e233029f@akamai.com>
References: <CAOgPGoDsX09SEUXr+Tq_m_5bs+erCLagSGMrAVohBRMqOkAtRQ@mail.gmail.com>
In-Reply-To: <CAOgPGoDsX09SEUXr+Tq_m_5bs+erCLagSGMrAVohBRMqOkAtRQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.27.97.193]
Content-Type: multipart/alternative; boundary="_000_a3d6d651dbcb4e06b4d407d3e233029fakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-04_03,2025-11-03_03,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxlogscore=954 bulkscore=0 mlxscore=0 suspectscore=0 phishscore=0 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2510240000 definitions=main-2511040179
X-Authority-Analysis: v=2.4 cv=b4C/I9Gx c=1 sm=1 tr=0 ts=690a6d65 cx=c_pps a=NpDlK6FjLPvvy7XAFEyJFw==:117 a=NpDlK6FjLPvvy7XAFEyJFw==:17 a=VffzjcSSX9ZDQt0N:21 a=HLlO29npYz8A:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VJFHFPW5AAAA:8 a=48vgC7mUAAAA:8 a=32yBIfi411kLvvffm80A:9 a=QEXdDO2ut3YA:10 a=2q4O/K3rjNU7EHYdBHB6dYyilSc=:19 a=Qf_tFzl3jXMBHcUD:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=AgADThdNmWmKxPRFMdYg:22
X-Proofpoint-GUID: j_zE_uAAH_uUCahYRbUaddfrbOWLHgtV
X-Proofpoint-ORIG-GUID: j_zE_uAAH_uUCahYRbUaddfrbOWLHgtV
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTA0MDE3OSBTYWx0ZWRfXziHybA4w/yCq MVGRbJ4abkOgMAIp9BuY18cCGgrkrM0EQuWiQbVQzO7LmqfhfEEzAM3wqlSsnCOYDZBHMQ7fk/S iZjVqsk26jn6UQK1fTeXKQ+w8quvAWNn7mww4Jkzdzg2emEUsGKrePDVzGh18cwuYLAqTOBdaLD hR29BjGkCORQaTzRN6JHpObwIr4kghH6yle3wSXSH4Mwz/yefzQSK8xDY2tqy1/aEQ3GihJEkyL wyrrVDRwENla15/5gvgUaRA/sT1n84CHP/6tr8grxiuMTocOn5juHJiERPpg0WMn9FrHACShpmn yEts0HmqPOOS6BOfikYOcD0XcGy//mZRCY8DQ8T+/MjMWqSNT9JTz7NneDpWvjJ5z9hXaR8G1cv ozRBsuoZjAO3HaD1QC6a5wCc5LNa7w==
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-04_03,2025-11-03_03,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 bulkscore=0 phishscore=0 suspectscore=0 spamscore=0 adultscore=0 impostorscore=0 clxscore=1011 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511040179
Message-ID-Hash: 6RFVJUQBAHYLV6RV7GLKN4TV3SCCD3ZX
X-Message-ID-Hash: 6RFVJUQBAHYLV6RV7GLKN4TV3SCCD3ZX
X-MailFrom: bkaduk@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/12o0KugTtAraDIi_OgHzs8EKj9w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I support making the experimental code points Recommended=D.

I'm a bit less enthusiastic about switching this document to standards-track
after WGLC to effectuate the change, but it seems like the least bad option
at the moment, so I guess we should go ahead with doing it that way.
If we were at IETF LC it would be a harder decision.

-Ben




________________________________
From: Joseph Salowey <joe@salowey.net>
Sent: Tuesday, November 4, 2025 11:58 AM
To: <tls@ietf.org>
Subject: [TLS] Working group last call for the deprecation experimental code points in ECDHE-ML-KEM

Chair review of ECDHE-ML-KEM uncovered the following issue.   The document has a section obsoleting the following experimental code points assigned to pre-standard versions of ML-KEM (Kyber):  X25519Kyber768Draft00 (25497) and SecP256r1Kyber768Draft00
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd
Chair review of ECDHE-ML-KEM uncovered the following issue.  The document has a section obsoleting the following experimental code points assigned to pre-standard versions of ML-KEM (Kyber): X25519Kyber768Draft00 (25497) and SecP256r1Kyber768Draft00 (25498).  This requires assigning a 'D' to the recommended column which requires standards or IESG action.  At the Monday afternoon TLS meeting there was strong consensus that the best and quickest way forward  to change the document to standards track and make the following change to section 6.4 (Obsoleted Supported Groups):

Experimental code points for previous versions of this specification were added to the TLS registry as X25519Kyber768Draft00 (25497) and SecP256r1Kyber768Draft00 (25498). This document obsoletes these entries. IANA is instructed to modify the recommended field to 'D' and update the reference to this [ this RFC ].  The comment fields for 25497 and 25498 are updated to "obsoleted by [ this RFC ]"

No other registrations are to be modified by this change.

This is a consensus call for this change only as the last call has completed for the rest of the document.. Please respond to this thread indicating if you support this action by November 14 2025.

Thanks,

Joe, Sean, and Deirdre

v2.35.0 | Report a Bug | By Email | System Status