IETF Logo Mail Archive

[TLS] Re: New Liaison Statement, "Liaison communication to IETF regarding draft-ietf-tls-mlkem"

Nico Williams <nico@cryptonector.com> Wed, 08 April 2026 00:51 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B3C24D7CEDCC for <tls@mail2.ietf.org>; Tue, 7 Apr 2026 17:51:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775609462; bh=pOs3cvqBDpccx3CQtNszpZcE+jt7d5XcvPvHQzOj76w=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Ls2pvZ3ZfeSh8YdEwjYtvn4ymtDKqFAPGXyIB9OPZQ3iSz9OL9HplS/FKrmDkUrpN YzjxEb9f/s+h/Z18an+ALusghliSIihHQn3k1LSyXYpfKRchtlKO7qvhTRq7eWRwBx i0YJrVWun6Fg9YkvT0RcrmS0OhW6LzoIha7y8VaQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6M1aZ3Ax0x1n for <tls@mail2.ietf.org>; Tue, 7 Apr 2026 17:51:02 -0700 (PDT)
Received: from skyblue.cherry.relay.mailchannels.net (skyblue.cherry.relay.mailchannels.net [23.83.223.167]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 179E7D7CEDC1 for <tls@ietf.org>; Tue, 7 Apr 2026 17:51:01 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id C496F641710; Wed, 08 Apr 2026 00:50:55 +0000 (UTC)
Received: from pdx1-sub0-mail-a210.dreamhost.com (100-99-26-167.trex-nlb.outbound.svc.cluster.local [100.99.26.167]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 6E5E96415A7; Wed, 08 Apr 2026 00:50:55 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1775609455; b=Nil9MtETMHN9IfTM2B7Z/aZ4wjyDW3EZ5r9pVzDmJxldYRnpPvzknG+P8uSPanTdCv00Xo EseUYyBk1k2FtjJi0fHjZTa7KNDNYCDD9uL54+wiZKdy84uW7bVOGDwWhudgPerD7sGker nYIQW8qZ6ufn5gejrsNATm1l0SP/0/i3qLdWNdNImF+bguSik74rU6hz1UtXnF8d5TdHu+ SncuZS24fGFkjNfolrXVQk2ujo4hlhdcyBQC88hvze4xFkPLLzOqhu0AoRBSFoC9+EMbAR kuQBxbULoENKLh92w5NNPm56qYivPk/M0C1a1y103BlcFjIfZeD0k6jNfs2gvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1775609455; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=sUl5UeUDQW2N4bz7sTMA5+A7K5uWPRN/PFvhJLvWY6g=; b=PJnrGY/tSLG/qqti1a/8uowZuEA0H6IpFb5XDuNqXcA8K+eRqbcV1PgqvYLUcfmt+FFz9u WINH+RIRlaoaIGck1G7KHqV/0Pr4Wv6I9VX1Cy4HqObI/bZHDVVlKpzrB62qHAethP60hA J7ad/bbYBi/xe2PMZsfXbOstZQTh240eCxhRSPwbA8Oo6iuGx6XyULn2WepMnLX/zn9ir7 /jRKhA3Dq0owhZnyTAwNjMw1SDxsowheJ0vlAtVz1uxOo06tpc9kMTSkNHwqqkUt3+0T19 JRUNhy4jqmg6o4uY99fY6ynG7mHyxcQvL1cP1PczzRp/jH1IrI4XVEsQB3bMVw==
ARC-Authentication-Results: i=1; rspamd-bd48b9d95-j8sbk; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Thoughtful-Zesty: 7817aaa170a554dc_1775609455677_218158787
X-MC-Loop-Signature: 1775609455677:3346547743
X-MC-Ingress-Time: 1775609455677
Received: from pdx1-sub0-mail-a210.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.99.26.167 (trex/7.1.5); Wed, 08 Apr 2026 00:50:55 +0000
Received: from ubby (unknown [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a210.dreamhost.com (Postfix) with ESMTPSA id 4fr4Hf618YzPx; Tue, 7 Apr 2026 17:50:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1775609455; bh=sUl5UeUDQW2N4bz7sTMA5+A7K5uWPRN/PFvhJLvWY6g=; h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding; b=GISAMrJmaf31ts1O2mMvr+jJV+R/OkMDAjel1OrqoG0DNCQ90mzMK3Yi7eGNldTeK rrn6vh6gfZTHNcPEbILivRKYJvxrU+ks+z8F6LrVJVAQ7UoM6wDYzvx/ois04qALtl qmm+h1Aj7n2x6Lq1e0j+fQK3LKuNrUowwnx/qr3xq1GykPD9cJHYce9mrkAG1n239H 87YbTA33+kOcxfMXqbxjecI2rai6Gt2hZvHJnwIRoy/Z88PdRBq2luVJcofwEToqzn zUbklt7hVSd/QW9tvFZeK1EX3cPtbyz+zRdVyKEHSm2Ep3xB8ogWMdHP19JKsYXPt8 kKZY44hrVhO8g==
Date: Tue, 07 Apr 2026 19:50:52 -0500
From: Nico Williams <nico@cryptonector.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Message-ID: <adWmbJXDi7xd1Q3A@ubby>
References: <59ADD91D-9A81-4DC5-A3B5-3D8C2747AB96@vigilsec.com> <3d933b83-2b0a-40ac-80b9-dd2cc15b4766@tu-dresden.de> <903E494F-9C92-45C9-ADB2-96456A88AF91@vigilsec.com> <dbf63a1c-f1e0-480e-90a5-67f74b661267@tu-dresden.de> <adQkkfDWpMYySub0@ubby> <60167faa-c4bd-4397-988d-8b226a73b705@tu-dresden.de> <adQ2C/gPwGutLSux@ubby> <5d3aba60-d52d-4408-a5a2-b1c8bd3a6c8d@tu-dresden.de> <adROgdd2QYDRIhDA@ubby> <fa8f9b78-7019-4b4e-b769-3348cf3daa05@tu-dresden.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <fa8f9b78-7019-4b4e-b769-3348cf3daa05@tu-dresden.de>
Message-ID-Hash: V2HK62J2A5YTNSA47BRJQRP3YSX2KDWB
X-Message-ID-Hash: V2HK62J2A5YTNSA47BRJQRP3YSX2KDWB
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: New Liaison Statement, "Liaison communication to IETF regarding draft-ietf-tls-mlkem"
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4VjyP7rZ8Bi8G-bN_eFmBFHEggE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Wed, Apr 08, 2026 at 01:15:19AM +0200, Muhammad Usama Sardar wrote:
> Now returning back to this email with the agreement:
> 
>    Outer TLS: Network layer: use pure ML-KEM
> 
>    Inner TLS: Application layer: use ML-KEM + ECDHE
> 
> Since Christian and John are talking about "link" layer, I'm lost whether we
> are all talking about the same layering. But in this email, I will continue
> with what we both agreed in [0,1], and later on spend some cycles to
> understand what they are saying.

You wrote "Outer TLS: Network layer", but what is the "network layer"?
It could mean the link layer, or IPsec.  Anyways, in the context of IEEE
it means "the link layer", so it's point-to-point, and at best
hop-by-hop, while applications are end-to-end, so we're talking about:

 - how nodes connect to switches (think Ethernet)
 - how nodes connect to WiFi and other wireless protocols

> On 07.04.26 02:23, Nico Williams wrote:
> > I'd expect that 802.11x key exchanges are infrequent and once connected
> > asynchronous, so performance is less of a concern at that layer than at
> > the application layer.
> 
> Let me translate that to RFC8446 terminology:
> 
> Handshake for outer TLS will not be so frequent, i.e., TLS "connections" at
> network layer will be long-lived.
> 
> Why do you say "key exchanges" only? They should do "authentication" as
> well, no? I mean full handshake, right?

The _packets_ will not be using TLS because they are unordered.

> What do you mean by "asynchronous"?Are you thinking about PSK-based
> handshake?

I'm talking about the nodes involved re-keying periodically, which
should not pause traffic flows.

> > What I'm saying is that I am much less concerned about non-hybrid PQ at
> > the network layer than at the application layer.
>
> concerned in terms of performance or security?

Security.

> > The application (e.g., a browser), just does TLS as usual with
> > RECOMMENDED=Y algorithms and gets hybrid PQ.
>
> This is what confused me and that's why I asked [0]. There is nothing in
> hybrid with RECOMMENDED = Y. Maybe you mean once
> draft-usama-tls-ecdhe-mlkem-update is published?

Well, right, that has to get fixed too.

> >    The application is not
> > aware of what security is provided by the network layer.
> > Double encryption just happens because:
> > 
> > a) the network (802.11x, IPsec) requires it policy-wise,
> > 
> > b) the application uses TLS (or similar) independetly of the network
> >     being encrypted.
> 
> I am very lost now. I thought in [1], you agreed that there are two nested
> TLS connections, i.e., TLS-over-TLS rather than TLS-over-IPSec.

Nested, yes, in a very loose sense.  The link layer is encrypting, but
the link layer is one hop, and the application is end-to-end -- the
application _cannot_ make use of link layer security because it can't
ensure that every hop will use appropriate security, so the application
has to use TLS itself.

> Are you aware of any complete specs of such double encryption from which I
> can create a model?

It's very simple: the network link layer is encrypted separately from
what happens above TCP, and there is no connection whatsoever.

> > ASIDE: Long ago I had wanted to be able to make use of network layer
> >         cryptography at the application layer, thus I wrote RFC 5056 (On
> >         Channel Bindings) to expand on RFC 2743's nebulous concept of
> >         channel binding.
>
> After reading this, I realized that Nicolas == Nico 😇 I happen to be your
> fan for this work 😉 because I have been researching channel bindings
> (RFC5056 and RFC9266) recently.

Hope it helps :)

> >         All of this was made unnecessary and obsolete by things like the
> >         disappearance of multi-user NFS clients, the appearance of NICs
> >         that can offload TCP and even TLS, etc.
>
> For TLS, did you mean RFC9266?

Yes.

> > No, compromise of one layer will not compromise the other.  The two
> > layers are independent.
>
> I meant if server is compromised, then all keys of the server are
> compromised, except if keys are stored in different storage mechanisms. As I
> mentioned, our design of attested TLS provides an independent root of trust.
> Maybe we can suggest IEEE 802.11 to do this, so that if their ML-KEM thingy
> breaks, attestation can protect them.

How does attestation protect against catastrophic cryptanalysis?

> > I would expect that application-layer security is always mandatory, thus
> > only network layer security would ever be optional.  Given that, if the
> > network uses non-hybrid PQ, it's not that big a deal.
> 
> Now I am even more lost. If network layer TLS is optional, there can be
> active MITM, no?

Yes, but TLS is supposed to be resistant to MITMs.

> So if there is no channel binding between the two layers, then how does one
> endpoint know about the authentication done at other layer?

It doesn't.  They are independent.  Neither knows about the other.

Nico
--

v2.40.4 | Report a Bug | By Email | System Status