IETF Logo Mail Archive

[TLS] Re: [EXT] Re: Complaint to chairs regarding false claim of consensus to issue an RFC for draft-ietf-tls-mldsa

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Wed, 06 May 2026 16:00 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 159F7EA0539D for <tls@mail2.ietf.org>; Wed, 6 May 2026 09:00:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778083201; bh=b5qKRz6eW8gXkFtC+KNQcsI7S03sjwVEI2r0uvqg/2g=; h=Date:Subject:To:References:From:CC:In-Reply-To; b=lv34xe3wErAiwt/CRBfz8nlNMelAQerGcrierP9u99/pWJVCCDQZJ9a9aiHNimSpj QKknSVj0lNA2qLesxqYDPPDTdiFM5odmSceY/WPGKa7fRd5vkznqwTpGcW+/H8tvuF GHe5cjuNuI/Ggr339EC6fqh5PZbT7BmzThd9X3iE=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8Kke4j1X1JM for <tls@mail2.ietf.org>; Wed, 6 May 2026 08:59:56 -0700 (PDT)
Received: from mailout4.zih.tu-dresden.de (mailout4.zih.tu-dresden.de [141.30.67.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 58CA8EA0538F for <tls@ietf.org>; Wed, 6 May 2026 08:59:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:CC:From:References:To :Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=HAZrcwTIRn9JJbfaZ0MiKohQ1fPdP6/ZxA5RZmSz0lQ=; b=MOfxYF9pcaz0aIKRYBjsXvwTvY u1EzO1jYz5OEXu4a3HWO/5GJNz2zDdSN/0PX8QegEX/aprr217tONJtpr1SFoWQpzrwnhwE0md9pj sm458w4EPTPb2m2m69ItVACL38pEpZONmvfAPYmCm38S56+8iFgtGWafmNqYn2iPCYqCV2pzMuR0B oGJu7GxdEcoAP+u/RLv+TSzVttHV7/HjXKDG9IZZUiDL37vFCZXtq27BF4doIsgw7e9aTtjkhSSiu RXsNDZqhLa8ZdSaMoYZ82xUGxdj0T4NeMejXe9M0qTgQEfxg5iLBocjjFo/RkjLMO277ICe3+31uP BxQ62kGA==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout4.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1wKefC-00CL99-24; Wed, 06 May 2026 17:59:55 +0200
Received: from [10.12.5.228] (141.76.13.149) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37; Wed, 6 May 2026 17:59:29 +0200
Message-ID: <7259ce25-c2c9-433d-bde2-f55a7d17e1dd@tu-dresden.de>
Date: Wed, 06 May 2026 17:59:27 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: John Mattsson <john.mattsson@ericsson.com>
References: <AS4PR07MB88256A37F4AF4EB6E2DE05B2893F2@AS4PR07MB8825.eurprd07.prod.outlook.com>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <AS4PR07MB88256A37F4AF4EB6E2DE05B2893F2@AS4PR07MB8825.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080709000102060205010603"
X-ClientProxiedBy: MSX-L420.msx.ad.zih.tu-dresden.de (172.26.34.140) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout4.zih.tu-dresden.de
Message-ID-Hash: TPN4CAPVKE5NKINFJ7FH3XEHXZQA5VUM
X-Message-ID-Hash: TPN4CAPVKE5NKINFJ7FH3XEHXZQA5VUM
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: Complaint to chairs regarding false claim of consensus to issue an RFC for draft-ietf-tls-mldsa
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2PaKlc39PEgtBfelvzM7pjCZa9s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi John,

Thank you for your valuable feedback. That addresses my concern. I am 
happy to swing back to 'no opinion' for this WGLC.

I will do further working as per your feedback and share with the WG 
when I have something of substance.

On 06.05.26 16:46, John Mattsson wrote:
> >I have a formal proof for that for TLS. Please clarify what you see 
> wrong in my proof.
>
> Did your proof consider known past and current attacks on deployed 
> systems that rely on malleable signatures or signatures lacking 
> beyond-unforgeability properties, including firewalls that use 
> certificate fingerprints in blocklists?
No, and I sincerely apologize for the misunderstanding. By formal proof, 
I meant at the /symbolic/ proof (in ProVerif) and not a /computational/ 
(cryptographic) proof. I believe the cases you mention need 
cryptographic analysis. I am not sure how to model firewalls though.
> I think your PR would have been less controversial if it had not 
> included a reference to very weak hybrid constructions. Given your 
> usual emphasis on strong security properties, I was somewhat surprised 
> by that direction. ML-DSA is an excellent algorithm in this context. 
> In addition to being non-malleable, which should be a baseline 
> requirement, NIST also significantly strengthened Dilithium with 
> hedged signing and beyond unforgeability (BUFF) properties.
Thank you for your suggestions.
>
> >It increasingly feels to me that if we had adopted Stephen's draft [1]
> >and focused even a small fraction of the energy we have spent on debates
> >on ML-DSA and ML-KEM, we would have been far better.
>
> Stephen’s draft suggested not doing any work on PQC signatures, which 
> would have been risky and is not aligned with the EU PQC Roadmap, 
> which identify PQC as a high priority for trust anchors in long-lived 
> devices and PKI.
I agree with you regarding EU requirements. However, my reading was that 
most of them currently need hybrid authentication. Once adopted, WG 
could have shaped the guidance. My general point was that there has been 
very little technical discussion recently and we have all been going in 
circles. If it were all written up in an adopted draft, we could all 
improve it and avoid circular discussions.
>
> >The broader IETF consensus is captured in [0]
> There was IETF consensus to publish [0]. However, I do not think there 
> is neither IETF nor LAMPS consensus that [0] is on par with RFC 9881 
> or RFC 9909. [0] inherits the malleability weakness of ECDSA, 
> introduces a new independent malleability weakness, and destroys the 
> beyond-unforgeability (BUFF) properties provided by ML-DSA. Compared 
> to standalone ML-DSA, I believe [0] has a higher likelihood of 
> introducing serious vulnerabilities than of mitigating them. In 
> addition, the legal uncertainty around the use of composite 
> constructions is high. I also recently noted that designing new 
> cryptographic algorithms such as [0], without CFRG vetting, is out of 
> scope for the LAMPS charter. If there were a new WGLC, I would oppose 
> publication.
>
> Note that a main driver for [0], SecP256r1MLKEM768, and 
> SecP384r1MLKEM1024 is the ability to sell FIPS-validated 
> implementations of P-256, P-384, and RSA-PKCS#1 v1.5 as 
> “quantum-resistant”, even though only the quantum-vulnerable 
> components are FIPS certified.
>
> Ericsson just posted a long public comment [4] on signature security 
> properties, government recommendations, and different approaches to 
> signature hybridisation.
>
> [4] https://emanjon.github.io/NIST-comments/2026%20SP%20800-230%20IPD.pdf

Thank you for this useful reference, I had a quick look and this already 
answers some of my questions. I will explore it in more detail.

Kind regards,

-Usama

> [0] 
> https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-sigs-19.html#section-9.1
>
> [1] https://datatracker.ietf.org/doc/draft-farrell-tls-pqg/
>
> [2] https://mailarchive.ietf.org/arch/msg/tls/vIGryOB0TU_vD81HUUxXQUNdnN0/
>

v2.43.4 | Report a Bug | By Email | System Status