[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Thom Wiggers <thom@thomwiggers.nl> Wed, 08 October 2025 13:08 UTC
Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BE5476F56D26 for <tls@mail2.ietf.org>; Wed, 8 Oct 2025 06:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tqTL0omlO_bW for <tls@mail2.ietf.org>; Wed, 8 Oct 2025 06:08:31 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5DB776F56672 for <tls@ietf.org>; Wed, 8 Oct 2025 06:07:29 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-b48d8deafaeso254274066b.1 for <tls@ietf.org>; Wed, 08 Oct 2025 06:07:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; t=1759928848; x=1760533648; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=rR1VW9OqPaf/LuPHRxhbS+D/33rhEVrK5vNa+4ZYefw=; b=cYGQQftBEuksFFenmWtSF16ZHAINCmYAWPooawI7anyTw3KEXLP6MJ7Stp+2Wdw3ii G1asyb9kOCprV81Vha7poEn4AcXP8hhAYqfgH4iNTwtdQZ0KqttZC+1krm+5wMWbNOWy sSlgBMgqliPYnwrnZnkFtOn91XqirW+SJ/s84=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759928848; x=1760533648; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rR1VW9OqPaf/LuPHRxhbS+D/33rhEVrK5vNa+4ZYefw=; b=UFHueGWoSAUPYZbnQPck4WrcCnYqGTC9i+LvdsStt4E8y04SFSI8Hou2aS8RpB+7LD s2fkgPhKTrop3aBXoDrlghbjt0O39Kq2oaaT0OWzEn9bO8ApyH2cMfQAbbKBY8MYUeXl ePlpdHOvXJpCg/SkqpSzBcAcw6nmZYdl+7RVg5knNHsD0+R5PzznZa5m810F5meDmbA1 sd7TIp0OKNsGSup/dbsjgicXkgmhu6izD2BRpvYXpLup8xCEBqnHPbcwzheAXJp00b+6 cIYPAfY7Mlx7TAbcuAfaCpeEmPyTmiBEx7YxkTySqm7HyxY/f/9G3iwtS9Pf/FizPwd/ h8jA==
X-Forwarded-Encrypted: i=1; AJvYcCVoP4685QEdoBeYffQLQVG7pcQ9cV17WMgEokSrJt3bwIdc2nE/Y0gPfSuBCoZgcNN5FWk=@ietf.org
X-Gm-Message-State: AOJu0YweBE4vssAyAxn5he23v+y/dnVWiv6FJ3mGslot5k6RtG5YQU0L 8jCJ0fbBIcFNs6euzSW6avg3Ed0WmAITlipJWRrOEw66sb80tyxDwvR1ER88WDR1XZ5povbvN8o MTiOOiMA=
X-Gm-Gg: ASbGncvclMloZLF+yoObTiQFhrpL44JlCopLilp3gw3zvEP0TcSGAFbL+yWk/wWQUDh ENhB3iAMzCrXJ9YKtVXmEORzOCBJhEA5AWFkqr7t/O3SzU3OpAKVgzbMfGAbKPbbuHNPxkXH24g 5kWS3NDqp8QGFTtqKPOeRPxQ3pE3oF+kp/iYVRI/0jGWCUBHSbbFluey8VWEOYBo42YbvBjjX5q xNZl8vLt/vqSzWrVmAqoKa3ZYxIZjWy7e213k0tp5DcRlLBouLSZ+viHzMYTFVc11uGPh1vPkVo tNITciRBzFjJT+1yiwmRMoZ5aYRhDMNuNiGCGsJM0/+ToA/7GMJoemJ0VKydEenyCMXCYxGkKuk A43VGy5+NY3PlUMJpNax19cJDCL2Jr54gPAadVfBHeSIGKRZu6GjMi8MZFfKwvyeEUKNsWvg/+n Y25a2uAWl+64oHx/9WFwwMFT+lDA==
X-Google-Smtp-Source: AGHT+IEBCpSdrqiHHyPSZ6INYwgwbfaPpW+68XfWB+Xml8mH2rZUsh9Cq3kLIvgTW0ENtwdAwutBvg==
X-Received: by 2002:a17:907:7fa4:b0:b3c:82d5:211c with SMTP id a640c23a62f3a-b50aae981e1mr425250266b.27.1759928848036; Wed, 08 Oct 2025 06:07:28 -0700 (PDT)
Received: from smtpclient.apple (87-170-98-95.ftth.glasoperator.nl. [95.98.170.87]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b504c9a25bdsm315844166b.84.2025.10.08.06.07.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Oct 2025 06:07:27 -0700 (PDT)
From: Thom Wiggers <thom@thomwiggers.nl>
Message-Id: <CA2D9127-B923-4AE8-883C-AAE73987794F@thomwiggers.nl>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6B04CA96-4E9A-440D-9633-6E1A5BBE48D4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.100.1.1.5\))
Date: Wed, 08 Oct 2025 15:07:17 +0200
In-Reply-To: <CABcZeBO+3u=1=ueNscq+O74Qv=7PC5NedsGsugp=GZjVqtODoQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
References: <CAOgPGoA+c8kXDizwsvFG5tLz9+Kxk0HqiN1skKp5jMvvpxeu0Q@mail.gmail.com> <CABcZeBO+3u=1=ueNscq+O74Qv=7PC5NedsGsugp=GZjVqtODoQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3864.100.1.1.5)
Message-ID-Hash: GQMTD7XUKIRS7Z46V6MR3CV3OPMBG45L
X-Message-ID-Hash: GQMTD7XUKIRS7Z46V6MR3CV3OPMBG45L
X-MailFrom: thom@thomwiggers.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2TZ0m26vA4Rx50hWT0xqUZA7xiI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi all, The draft looks ready to go to me, and I think that it would be good to mark at minimum X25519MLKEM768 with Recommended=Y — but I don’t think this should hold up this document. On Bas’ point, it kind of seems that there are separate concerns for clients (more options lead to HRRs) and servers (more choice may be fine / desirable). This probably deserves its own discussion as it seems to go beyond the recommended column. Cheers, Thom > Op 7 okt 2025, om 16:51 heeft Eric Rescorla <ekr@rtfm.com> het volgende geschreven: > > I have reviewed this document and I think it is ready to go with > one exception, namely the Recommended column. > > The RFC 8447 standard for "Recommended=Y" is: > > Per this document, a "Recommended" column has been added to many of > the TLS registries to indicate parameters that are generally > recommended for implementations to support. > > I think there's a general expectation that we want people to > implement and deploy these algorithms, and I would expect > that the X25519 and P-256 versions to be widely deployed, > at least on the Web. Therefore, I think we should mark all of > these as Recommended=Y. I note that this would require > advancing this document as Proposed Standard. We should do > that as well. > > -Ekr > > > > > On Tue, Oct 7, 2025 at 6:47 AM Joseph Salowey <joe@salowey.net <mailto:joe@salowey.net>> wrote: >> This is the working group last call for Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3. Please review draft-ietf-tls-ecdhe-mlkem [1] and reply to this thread indicating if you think it is ready for publication or not. If you do not think it is ready please indicate why. This call will end on October 22, 2025. >> >> Please note that during the WG adoption call, Dan Bernstein pointed out some potential IPR (see [2]), but no IPR disclosure has been made in accordance with BCP 79. Additional information is provided here; see [3]. >> >> BCP 79 makes this important point: >> >> (b) The IETF, following normal processes, can decide to use >> technology for which IPR disclosures have been made if it decides >> that such a use is warranted. >> >> WG members can take this information into account during the working group last call. >> >> Reminder: This working group last call has nothing to do with picking the mandatory-to-implement cipher suites in TLS. >> >> Cheers, >> Joe & Sean >> >> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ >> [2] https://mailarchive.ietf.org/arch/msg/tls/mt4_p95NZv8duZIJvJPdZV90-ZU/ >> [3] https://mailarchive.ietf.org/arch/msg/spasm/GKFhHfBeCgf8hQQvhUcyOJ6M-kI/ >> >> _______________________________________________ >> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org> >> To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org> > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… David Adrian
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
- [TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
- [TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: [External] Re: Working Group Last Call … John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
- [TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
- [TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey