IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

John Mattsson <john.mattsson@ericsson.com> Thu, 27 November 2025 16:02 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A89C891BCBEF; Thu, 27 Nov 2025 08:02:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UmxrOr1Upyq1; Thu, 27 Nov 2025 08:02:45 -0800 (PST)
Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazon11011062.outbound.protection.outlook.com [40.107.130.62]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C9BA391BCBE0; Thu, 27 Nov 2025 08:02:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cOA+KgLZVNyuDEwxNdNRNb4kA/fUEoeHJjM1NkseWs6nkkUeuAtqr2KQGzRhlFK215Wmd6UYJP0/YC9h3OPCWVMRyvPEf9xkjZlnnl0yvxBUAJUmMClOAan0xsKYzKnDPUn+y55859FaVEx3r5OJu2xevktvr8X7rajb8K8s0ta9BDfdWmjqTbtevw0P7O7RCvT2STSqSu2seWEsDtvFXq/XgGzrqhZFzvCWJ7bek8XVFHkQt+E/imBgNAguvGt+mMMzKg8WZdtkLkKaxuUHzGfZ77fg0dF0EOfrZDumXbw71hhauNm1XXUYDK+ZG3qhEuyE7uqlZdZUpLuIdVY+9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JS+yL4MO20NHBQy7rT/YnIB44fpJBfcs7DBBHcQKK6A=; b=XIwn548+7/5Agtjy/ZYOsr4eJZYE2RrtJnUP+nsdRZwZkL+zirKcU+ZOUdLykcWUMd7he38hn2NU0I/aSMjqfEe35UqLsrl3faiWVbgsKKBeCqwDYRMSxJ5D3d4EM6qV1ofN3FxUB3tsrHWySZSbU0GkLlGLYLWYhldhxpZuuOKWhnXAHEBRrQvLVHOwfGc0JnPq81RfdsMzTPzvjh/MCLN+qzX5DcciuoT+ooUNh87dBMnU42er8kD92BsHxa4Bz0hU2JO2wO5kUktAK0MwrPikEn6qDItiv8uKnCEqJ67En21kCyqtvmd1QR49Ikyw5n+cljt0OFtfDRfaRVakXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JS+yL4MO20NHBQy7rT/YnIB44fpJBfcs7DBBHcQKK6A=; b=PwVUZ8vCdC7ovSv/x4CQOM8m0EAQTshgMlZeQdw+P+yjZgjwm5pPBq/wQTZ6HRNsN+ltfUdfzTnkxYKPftia+OnkiqNeVdRmChFJ03JC/IUIwmuLqIHYwsrMQFdv9m3sVlXweY0QRXK4MmVc3n8IFyABcX/It+P0/IdXbW363M4azUlzKGYry5w6p3QFoMpYSGB50/y6a/mcXS+n7ikyfoNKLjeX2+4tJwfm3I3TgH3oLGV26Py4xTEtaT8LtqUmhTiXqkW472F16j4f0wDWA0L9nj2+lhPXMpXTTrVc1Fy2b1O4MQk/jDxu67v40i3KhQlz6FF36rH3QK0nAesonA==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AS8PR07MB7142.eurprd07.prod.outlook.com (2603:10a6:20b:25b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.14; Thu, 27 Nov 2025 16:02:37 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%3]) with mapi id 15.20.9366.009; Thu, 27 Nov 2025 16:02:36 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
Thread-Index: AQHcX7ZHMIztrEpGBEi2WfcRV3uyJw==
Date: Thu, 27 Nov 2025 16:02:36 +0000
Message-ID: <GVXPR07MB96788602130757CA20A7A43B89DFA@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AS8PR07MB7142:EE_
x-ms-office365-filtering-correlation-id: 9fbd2227-13f5-4732-acac-08de2dce624a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|8096899003|4053099003|38070700021;
x-microsoft-antispam-message-info: N8VMnyrZ35rw8nuTydaQTNqGcp3/1dGpMZDTeqcuCarRpwLHs9vcPhohvNwp4fLr964wusxMcRuqNF6Tf0bsjodHq6vlbVqGv58rUocSaVN+wP9oDnWNhyWa4Pjg5fr6Y8/XtjdkUUAdt2WOZY3BtMhPII+Q4ciMoIN09hHU7KJh4FDVZLVFtOqtz7Bp2gZPmKWHzYhjbFmVaRjk2doOLm/N58M3dFrC+d5QLxoZc+vfMfBqHVhuZgMA+uBCqq/39MhNrcHNTosnDZMaUOwhEjVdqDE2xZK6nMCYnarS8xwoyQIRq3XxcM9JFL4jJUHWS7knLsgv3fBG0E1UbWF14dU4m1BjY8FHuVyPwBqJaaPxwMaTQu25IwunmDgFFWaUBWQBHprgoZE7ZREtahq57pX18k1e4uKs3TOz9BgFLVTAYUPLyECmbMd6D+E3fIojDvEVUViGbcMqQlfNfiHewqIMCyt7kfbjlmjhzWVP19w7rIfV6XYGa2cq8KJoibmctnO/ztzMmtEf/JkkABN45BU/ImfCW95871FiaYFqEzucsyV4SxlKcy7DXNAhH/mNHnfg8mRcz6rPYaax/QzqI+O97sVU26jH5uZ2is2P9tfLfEiQzWz0wOrvZHouRofFgP7GNWdrmQEYH18XPaI+0BoJetCVKbUdGjnT97DtMNppN6/Jxda81xuEL0QYKGF3zBqxAeLpNj2EOx82qiHlLI876kvrRHQi11VCnFDtSJi72yPWmOXL9Aywp/7OLm7YJhEmfzrtP1QZ+JamngUIIOcAAZuPiP/EQb9IV3XBLTJ6Y/a+MWBsL3rri5qtL2cge28n6H+k0gSY70O+Yq1J78QHTM9+uO8oya1HL0I1VNgzGcH/vaXCBYs3EEW9Uz9JPxLu51h/ED2UZ6BATcp6EtRY+Po1Dht3AJDgL2iz/rPTP3wZdEgI0g6esplVYOFCONnsVPfbTSCj+FJ+maQoqI2XZm1OuKQw14jYvHOcoq/h2YTWXywsHqlqNy9v16PDH9MHOYKL2d0S+MK0E6o+pJwxaML0PjkEPNabuTT3POGW4CXkgoEFJW1LK2/WPLwPfnkQXmzEgf6vZFbC1KPswyWIUQHHqIWSBhmmr3p0a/oomXqWyP2yigKA3PsOIJft6wU2+d6PXAitkzjI1KI9u98fwTz0wcp0PxxZuf8DeuiLI2vb+Hsa1yKGwj8+95JIzzZbbVFMS/fZuTJhQxDEyTRBl4gb0Jdzhd5ivgOG2YnTE6FzCRxsCclPBa+IUMRDXNTeTUGV8g3msD0UPqKJkz+5fXGAsXLWfGCl4GnNWxvU47WdwooWoS3ltOxowrME8iRYPh29GtFijMXG72+MDJV4LQpvRjlU16oXqGe7kGfNApXGqAEpEEOH2E6+GX1WmiPCKEpevuF7Rt+NNGl/KA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(8096899003)(4053099003)(38070700021);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +wspNGjVuOtxMCxEUn2aTl1UO+1qMzOyZewGd/ha+Q1UZ1JjUn/covfTMM+AcTXAM0Y+ud/bsdiekfRBUvliW6A2YhoaRrp850Hn4B9U2edQEauqet0pZfx9pH1HLTt+u9lrYRFl/31ZRt/KgZKxxECy2l+/NeKDdml5gzz1FyVNHL10ZjRB3KMKYce1FRNPpzXuXpFB0KQnJjkBOu3rQBnb3gXIFmIuGuZmof13WQo1NevifZFdaHJM2HB5TmVsuNL9NTKCUY0RBrTnFyBxJZFCzRPCSzmpoP86LnLfKaMVHMtB95ju4XYlYIDOOvOeK2sXi1Sy6+smo+c3oTQLw6rOVrYGFSF8UMswjDPna3D3vt/hILCFBaqhvD+4F4c8OlSTS2qJ3NxgmzBLY4Y+J1BSztjFoomabgunbVEljSWFc6qB3JFyJ++Zpw7S9AvCAb4aS+GtVFiyT4dkcr+LrwCzUfv0Hno8hVf3eCAFPVixBOvmV1Ai69lu0MiWbyQKdXmGZw+lSxCMwcrcb8V2J0lgl1ykzn9bgmFkuDRhDvRIbbIsisdbopF0TRK5Lo8xcVuzt2VwmXRQsEe/kqIcdoNvAf8DyUYRsx7bxhGZ0HOctvlGMo9ukQbBh0Oq6iwHuHbTfBbnz1yZPIAP2cM7Fpu/p/UnHktiSvtK4AXfwYZ3cSD6APRlmvR/NKATA3QIxmllC3g2kmZjjD1P5NOVaJ9+sZY3N0lFysgilnHF2sc6JJzvT5UztScvjBDfoGCQNZU56XxKwZzME69WNjnLekw65YbDjKOCsuxwMsl7GUUvr79AkgbRrUZ3EQDS+08eqkAeNL6zYlI9E+HT4MYdBOgM0hJzmuaHOVowsA/OyjjerIY0BIpdVocdZapsBTr08RxZsi4UT7l5yXn1AhvcCqLoXCWcGVx46M7TZYgNqBzOoK8GiQN7SUihvnAaKxzEj8Uq11vn7qRPQ7EAwY2HDOKdyGSBX13pBcLfgUpV4mgBmAkbEAci4eycj5sP5p424PQQDDNcddZm/KCov8c6ZclA1Vp51P7yJ6RnchPboBx3CxmsjEbmeDjosMXQHwZd6aHHQx6SRIjxxobDFmOhWNN7bGNt0CG6HsVKEsf2z4wAIQcMkw4RsrodXfws7qGHTbm62VKYUoQUaeXusBzeQbEVmmI09S3G5hvq/DNTZZXMB/6i9B+LEPVzQHSmqRWWHcwe6h7Sym4ER8+xsamA3kBmsaU2ZCwgd7+Ao303Dh/NV/6JMTujb5cpZJH1dr1Xl888wlg1ao4JEcz7J02vUZd4kzNrrViCGqLYjFsoQ3fzkAqJqcuZGgb6r135soFfECz5gApzlGq1K3h81uBeZiz/ok0PcK5dAd72aL7IZZ1EcA0JCSZ6YaG9MXucXrooZqQp6TJDw9m/lb64IK8kQbMZopDE5krpU9DFIvU0Csf1tLIiQ94LD/UNH2yqhgplWLDj1ueoWuEt7VPTP4u17hX07PVF1s98fBBBo7Vxr75i6BLtjN9p15oOIKastSpu6PMLQUH+GHXLzdOpzZ8KZ/hjL65T20qQezki++n9O61ZUz8yRG83S4qFcFfYJw1Jofc3r/txV0D3Ah3oxtzSGWUa0pq/HUthj4n9/eAfwAo=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_18BB9416-12B5-EA45-8606-6917880B2F1B_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9fbd2227-13f5-4732-acac-08de2dce624a
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2025 16:02:36.8339 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TCfYgc3ZFXyzjmMfXbaJL2ctubHFdlOrAsxWkpeZtpHwk7zrM2wAj7tEhlxmk98vjitgnF4Zg8Q4pUmSInxikWXMh9Ef47lJ3r0WGpj4R4Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7142
Message-ID-Hash: TASX7GI6F4B2NUEBW534UOM3HH3NZLNK
X-Message-ID-Hash: TASX7GI6F4B2NUEBW534UOM3HH3NZLNK
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-tls-mlkem@ietf.org" <draft-ietf-tls-mlkem@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2CzWuwsis1bUcBXxUqbSgmy_M5I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Eric Rescorla wrote:
> What's *not* compliant is if you have an implementation which doesn't
> support P-256, no matter what other groups it supports.


As I wrote in my response to Bernstein, RFC 8446 mandates ECC only when no application profile specifies otherwise. An application profile that removes ECC is compliant with RFC 8446.


Muhammad Usama Sardar wrote:
>couple of sentences that basically tell me nothing about why this draft even exists.
>Specifically, I would like to know more about those users to be able to reach out to them to ask whether they also want attestation.


I agree that the draft should include a more detailed motivation. Some relevant points:


- ML-KEM-512 is likely the most suitable PQC option for some constrained IoT deployments. It is reasonable to expect that several constrained systems will eventually use (D)TLS 1.3 with PQC algorithms.


- ML-KEM-512 is the only adopted quantum-resistant algorithm that can be used to bypass legacy middle boxes. I would like to minimize the use of standalone ECC and ultimately disable it via an application profile.


- In a decade, when standalone ECC is deprecated and considered to offer no meaningful security, some systems may want to migrate to standalone ML-KEM-768 to save energy. However, contrary to some claims, many deployments will not need this second transition. For some systems, the engineering effort to move away from X25519MLKEM768 will not be justified.


- Several countries are recommending or requiring standalone ML-KEM. They may be worth contacting to determine whether they are also interested in attestation.


https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF
https://www.ietf.org/archive/id/draft-becker-cnsa2-tls-profile-02.html
https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography
https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111
https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cybersecurity-guidelines/guidelines-for-cryptography


As noted above, I view ML-KEM-512 as the most useful algorithm in the draft. For middlebox traversal, I would have preferred X25519MLKEM512, but the TLS WG chose not to pursue that option. Long-term, standalone ML-KEM-768 may be a reasonable migration path for some deployments using X25519MLKEM768. Cost savings are measured in absolute dollars, not percentages and Kleinvieh macht auch Mist.


(That said, my support of publication is still conditioned on that the text in Section 5.1 is completely rewritten or removed)


Cheers,
John




On 2025-11-27, 08:59, "Muhammad Usama Sardar" <muhammad_usama.sardar@tu-dresden.de> wrote:

On 27.11.25 01:16, Eric Rescorla wrote:


> First, the requirement is not that implementations *use* P-256 but
> rather that they implement it.
>
> What's *not* compliant is if you have an implementation which doesn't
> support P-256, no matter what other groups it supports.


Thank you for very precise explanations and clear examples. I fully
agree that the statement I proposed is not required.


-Usama

v2.37.1 | Report a Bug | By Email | System Status