[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

"Markku-Juhani O. Saarinen" <mjos.crypto@gmail.com> Fri, 03 July 2026 09:19 UTC

Return-Path: <mjos.crypto@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EB4FC10D72799 for <tls@mail2.ietf.org>; Fri, 3 Jul 2026 02:19:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783070368; bh=j/RuGWdc382lVwCS1wFscWaQLqnb4sSg5ow7F1lFyxE=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=QvQBQNU0futsTMom/s0rOqfZymllLTpzC1ftUYokBR95obLP/Dy2JJcpvu+oxvVM3 sMO8KAI1gL/0INtbfbrLXr/2/Kz+ng747sD3u/bvNLNytN9iQU8NWaHS79H1O+2zvf 6RS9IBcqNJNssnl2pafkKhoqARiwWNVWal3sx0BU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.588
X-Spam-Level:
X-Spam-Status: No, score=-1.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_PAYLESS=0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVkllMdF07TZ for <tls@mail2.ietf.org>; Fri, 3 Jul 2026 02:19:28 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CA9E510D72673 for <tls@ietf.org>; Fri, 3 Jul 2026 02:18:35 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-845b6d9bf39so316046b3a.1 for <tls@ietf.org>; Fri, 03 Jul 2026 02:18:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1783070315; cv=none; d=google.com; s=arc-20260327; b=TW2/ifDo05Ts9Q5Hvbc5YH31G4dNHg9RAfRV0+UwL3u1BLDUeV6x78+1WhlUPRLiuK 778ivppry15i1Eue8xh3tveb+NdWholIwL59CDNSUu1Jw7DvE/wl97JPfk1ZHnLG8Ga+ tw3DLatDpgyPLVCNicfXqbvVwWtbFYRdU9ZRGjTO73xgrjVsd8PrGd4uhfI+dEqK7vf0 ddHOwVFdjeylS3YQDIq28wxi6C7ayxBJjyNm9lwD+PLDXMvyWOxy+XCyNgU+V2goGHKF XiS5ygRgD/nWoeQJwYJ/BHYpqsTHwFYzlsG1kQdQZ6Gn5LZxyqVfa8fufMn2SxnTVZdF Zllw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=AW6gh61I3bUF/7Uye4ChVfL9zmgix1D8EZqLKEFGkIc=; fh=u1sKhO8z7RksxHfiLuzoVM+fKWxuZI7ncP5AJG+orEs=; b=HhsHnkMrlgbGN7irrTJQd1gd49nR+PU3FMRPo4eCvys9EaiG1QzXdy4DJR924wcNmo SLN2tHY4bIDEt78q/z1WEJYdXuDmkJgOErwrUt1/BGH/ZkOQUI4uQKNWbBYeMfkBay1r WKoCwZmVW31EIgGyCL/3VOubX+r5/9JfT6xHYs/aHixn7bVmgP7RkoTPkBKLhxvEFXbo ScjyRIjxPjK/YiACQrU7UldqQ6eGohxCWakUS20v0uE6yMe22B3oT/Yssfp1jamJl6gq /ZK2y9zLKjteITPwH0EaMThn+rZrlB+LRLZmnN3PAcwSMV/pkvR94pjoe8wM8MHkkCHo y6gQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783070315; x=1783675115; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AW6gh61I3bUF/7Uye4ChVfL9zmgix1D8EZqLKEFGkIc=; b=QAwjQIL+EdYrmbVbmOLPa1xndiYaZkAYRq6DDS2d7XUIaPLShYKmj0UDMjGmw63XVN IfRe1OuFq0hYViVtJfp0lXZE1b51CLTYJyv5dxXZOSKqu4TtX1PqSCAKzo4CmFXzIWJj vvWswECfcjBC9HIDHQt5UP2ppPWdccLKpzOUhhoHSNotag7e2sokSynXLPBc9Q78XTdf IxobmMNqlZtYUQnn0NtentR7F7FHSRRLOxW75+CtcTV4B3+sfYvNF+G8Kjl2h7R4cy/N VKJmKcmkMeev1HYA/tEN9igeTzms43ujCt/B3/MadQuJIY0I6CrcVw+k0H0Ggpb8j5dE 4kUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783070315; x=1783675115; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AW6gh61I3bUF/7Uye4ChVfL9zmgix1D8EZqLKEFGkIc=; b=LxFW3+w71ZMmRmWzgs3b5ZD7g6jCW9j7c4kr8Ss9NFMKv9T4LFVdCQn5YS826LgQUh eTCGK5P3LiYM0wBwZx1BNLLkUiEglcuK7PsAaaMcUNAPrOkvqZNdFWAB3U/A0jjNt6DJ ZzGreQ42DET4OD7uw9BtvIraC+sGoaG6/OwxmB5KId9N0yly0rsOI8zHyAv/GkJmCeZ2 uweybzmNdC4QbBnTxyaQNsjtjYiauacLUy3Cicog21kvNyzkHdHAbhAsVV7TO5lv2STT 2ij5MIjLiVM58aAfOZZOyyrp6UlGK3L0ju+9M+AJuHbX7+8ly67hMer9DzIGU+1A8qb2 BQsA==
X-Forwarded-Encrypted: i=1; AFNElJ/SM/BUn4OmfQomy4V5TMwfwQ9q52935SYdVAbQqOzcqG5S81AU5J6kuwyqnoINt4mfe68=@ietf.org
X-Gm-Message-State: AOJu0YyXDGR06dXghXEge7UG0UajV5GfxWMpKnIcPmW25BLtm/BX/jcX b+IJloHrQXa2Gu2Cfs+3Ywe7ZTWuqzcmNJqvqjaXaBf8m0FRVvb0L3HdK2eHJEHRRcVSTEtiThN 4ugpOkuf4m766Ev4Y3sYu52CJEh/JpGg=
X-Gm-Gg: AfdE7cnQI6AuZZNMbZ7TLuoMh+Ba/MvXjKUFzQfNjyXNDAisR3WYQdChIIAc2zFnp9q Boc0/R2qyBN4G3wd8dJ8SjHhzHeDkihCuHfDMiSzHoN5ESg/9PuIEXrJj4PIABi2vLEKU1L5o2t qQ5eBeRPF63VsNAuQuZsUZS3+CutigNTfLDOZgSvNbGjrL8ysNQhvWB/zfUBLe4JsQH6LONncl8 4N6l/qi08AeAqnI8Xk4W+CbfyNjNi4o3NyFIqyMQ3tXFGwXDA7DKBitjU9FJ1RYt2zXBuoat3m/ uDxkwACkspcahkd93IVoRLFVlLEccsaRy2E2tdTFv4onD5h/Ki6BB21s
X-Received: by 2002:a05:6a00:c8f:b0:846:5d1f:56d4 with SMTP id d2e1a72fcca58-847e17f6e4bmr3211466b3a.14.1783070314743; Fri, 03 Jul 2026 02:18:34 -0700 (PDT)
MIME-Version: 1.0
References: <CA+iU_q=8bDayFTsmVY03TmSK9uQjXtxcOrxgC07hXA4kyUtTaw@mail.gmail.com> <CAA+_yBZSDL8fOJ8S-6NTt3yGg-O24Dit3at-KRqoGBcmyZaqWg@mail.gmail.com> <CABcZeBNbPbZ4s0Utjo1rFUMesKEuEz0whGXzUNn3XJ9=GK+C2A@mail.gmail.com> <CAA+_yBZiNp8ip_U8hw7fYqQUGT63cpONMLQr0_cTfn9BjQoMWg@mail.gmail.com> <cbf341a4-6819-403c-87ab-7e38897b1862@huitema.net> <CAA+_yBYYehbXFLNPZFBNsnZo+AzmCO_arY+wuabbTC-=PtXDSg@mail.gmail.com>
In-Reply-To: <CAA+_yBYYehbXFLNPZFBNsnZo+AzmCO_arY+wuabbTC-=PtXDSg@mail.gmail.com>
From: "Markku-Juhani O. Saarinen" <mjos.crypto@gmail.com>
Date: Fri, 03 Jul 2026 12:18:15 +0300
X-Gm-Features: AVVi8Cd46-VMDk1GmqPUWlV_pN-jffCMbnd-CmkpWMkJpunmS8U765EhRMjwyvw
Message-ID: <CA+iU_q=axSMURYqDV-YnDnwgGS4K9Y1QTF3FJg+AR3dfiqC2Hw@mail.gmail.com>
To: Orr Dunkelman <orrd@cs.haifa.ac.il>
Content-Type: multipart/alternative; boundary="000000000000b84d3d0655b16803"
Message-ID-Hash: VUDIDMOWG7MBP2NR4OA4U25XOJP5SXH7
X-Message-ID-Hash: VUDIDMOWG7MBP2NR4OA4U25XOJP5SXH7
X-MailFrom: mjos.crypto@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4z_NoGUBuJC4_ubfXEEcEpWweIw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Fri, Jul 3, 2026 at 8:38 AM Orr Dunkelman <orrd@cs.haifa.ac.il> wrote:

> Well, let me tell you why I am worried about the "seal of approval", and
> specifically, the action of the NSA.
>

Hi Orr & Co,

I guess we need to educate folks about what standards are and what they are
not -- that there are many kinds of standards with different caveats and
intepretations. I feel that understanding standards is one of the
foundational skills of any cybersecurity engineer. If you decide to
implement a cryptoprimitive, for whatever reason, following a standard is
very helpful in helping to make sure that the implementation is correct and
interoperable.  But an educator should never simply say "use standards"
without telling the students that there are also standards that one should
not use "by default" (one can still implement all kinds of things for
interoperability.)

Some of the conflation probably stems from the dual role of NIST in the
U.S., where it is both a standardization organization and a cybersecurity
agency. Most standardization organizations are not cybersecurity agencies
at all -- in Europe, we have a separation between ETSI-CEN-CENELEC (our 3
official std orgs), ENISA + two dozen national cybersecurity orgs, and the
executive (the European Commission).

In European terminology, "harmonised standard" means that a particular
standard enjoys a "presumption of conformity" with our regulations. By no
means are all European or international cryptography standards recommended
for use in Europe. Indeed, some standards are gradually being banned from
the market right now (practical effect of non-compliance with CRA).

This particular thing about "harmonised standards" is something that we (in
Europe) should really should try to teach to all engineering students, not
just in cybersecurity -- because the same logic applies to broader safety
and security as well. If you build, say, a fire extinguisher according to a
standard that is not a "harmonised standard", that fire extinguisher
probably will not pass a fire inspection. Building a thing like that is
fine if you're a fire extinguisher enthusiast or hobbyist, of course, but
commercially it wouldn't make much sense since people principally buy fire
extinguishers to comply with fire codes. It's the same in cybersecurity
engineering wrt CRA market surveillance (and I have not noticed much
enthusiasm for allowing "default" Chinese or Russian standard ciphers from
European authorities who decide on those things.)

On Informational RFCs -- this is the way it has always been. When I helped
write RFC 7693 on BLAKE2, I didn't think that it was some kind of "seal of
approval" (personally I usually recommend SHA3 over SHA2 or BLAKE2/3,
principally due to engineering reasons). The existence of, say, RFC 7693
just means that a specification is freely available to engineers who may
want to implement BLAKE2, for whatever reason -- typically for
interoperability. As a member of the IETF CFRG Crypto Review Panel, I
acknowledge that our review process is really quite lightweight (we are not
really expected to do cryptanalysis, for example). Again, we would need to
inform our engineering students about this.

Anyway, in the particular case of "pure" ML-KEM, I don't see credible
technical or security reasons to prevent its publication. And I see it as a
useful engineering specification, which should be published. The resulting
Informational RFC may even be referenced in a harmonised standard after a
few years, if and when quantum computers start really doing their thing and
people lose their attachment to quantum-vulnerable cryptography. So it's
good to have it availalable.

Some tangential anecdotes:

On the particular issue of Kuzneychik -- the thing with S-Boxes is a
curious one, and I, despite my best efforts (including interviewing the
designers in Russia!), never understood why they did it that way. Probably
a result of over-classification and a particular kind of counterproductive
security culture. But it is definitely on the "suspect" list and I would
not recommend its usage over other options -- but still the existence of an
informational RFC is arguably useful for Russian engineers who participate
in IETF, and for companies that built things according to that spec. So I
am not opposed to a free specification existing. On SPECK -- somehow I
actually feel that despite the lack of public design process documentation,
the later adversarial peer-review and undeniable technical merits of the
algorithm actually makes it attractive for practical use.

Cheers,
-markku
Dr. Markku-Juhani O. Saarinen <mjos@iki.fi>


On Fri, Jul 3, 2026 at 8:38 AM Orr Dunkelman <orrd@cs.haifa.ac.il> wrote:

> Well, let me tell you why I am worried about the "seal of approval", and
> specifically, the action of the NSA.
>
> After their lightweight block ciphers were rejected as ISO standards in
> the cryptographic working group, somehow SPECK (one of the aforementioned
> ciphers), became a standard in the RFID working group. Namely, by using the
> fractured nature of ISO, a standard that the cryptographic experts working
> in the field deemed is not trustworthy enough, made its way into ISO 29167.
> Now, SPECK is indeed an ISO standard, but just not one that was decided by
> experts in cryptography/security. Go and ask a random computer security
> expert if SPECK is an ISO standard, and whether it should be trusted as
> such.
>
> The story here seems a bit similar - as mentioned before - there is a
> proposal to make this a non-IETF RFC (and we are discussing
> "informational", but from the outside it looks as approved by the IETF).
> This will be utterly confusing, and the fact that the procedures allow for
> that, favor interoperability over trust. Now, I understand why IETF wants
> interoperability, but I urge those who support this informational RFC to
> consider the impact this will have on trust in other IETF RFC. Yes, in the
> short term you will increase the interoperability of this specific
> mechanism. In the longer term you will cause people to ponder whether RFCs
> are indeed "seals of approval". And while I agree that the proposed RFC
> will clearly be marked as "informational", and even if you put a label
> saying - "hey guys, you should really use a different method, and we only
> put this is here for interoperability", or any "keep out of reach of
> children" warning you like, there will be people who will lose trust in the
> RFC process to the point that in the future, they will pay less attention
> to IETF RFC's (I know that some people where so surprised with the SPECK
> ISO's hack, and decided that they are not going to trust ISO standards
> anymore. All of them.)
>
> Cheers,
>
> On Fri, Jul 3, 2026 at 3:00 AM Christian Huitema <huitema@huitema.net>
> wrote:
>
>> This "seal of approval" argument appears to be the motivating issue
>> behind the current opposition, but I have a hard time believing it is
>> such a deal-breaker. Yes, there always be people who mistake
>> "publication as an RFC" as a "publication as a standard", despite the
>> clear statement that informational or experimental RFCs do not specify a
>> standard. This is by no means a new issue.  Should a specification that
>> is considered problematic by some be published as an RFC? For a
>> discussion, see for example RFC 1796, published 31 years ago
>> (https://www.rfc-editor.org/info/rfc1796/) The attitude of Jon Postel
>> at the time was that if something was going to be used, it is better to
>> publish it as an RFC. It ensures that if people are going to use a
>> specification, they all use it in a compatible way. It also ensures that
>> the specification becomes highly visible. And it reduces the motivation
>> to develop parallel publication channels for competing standards.
>>
>> -- Christian Huitema
>>
>>
>> On 7/2/2026 3:06 PM, Orr Dunkelman wrote:
>> > I beg to disagree.
>> >
>> > Because many people don't see the difference between them (and yes, I am
>> > aware that this is an informational RFC, and yes, there is a code point
>> > registration). In many instances people just follow the standards, RFC,
>> > ISO, ETSI, and don't care whether they are informational, mandatory, or
>> > otherwise just a standard that is there. Many people view this as a
>> seal of
>> > approval by some standardization body. And I believe that such seals
>> should
>> > be given less promiscuously.
>> >
>> > I think that there is value in simplicity for security (and I think that
>> > the technical claim that simpler = better is a good point for the
>> proposed
>> > informational RFC), yet, one cannot hold the idea that simplicity =
>> better
>> > security, and not realize that outside IETF, once something is RFCized
>> this
>> > is considered by many as an RFC. BTW, this just proves my point - once
>> > there is a code point registration, then now, we must have a way to
>> > "satisfy" this.
>> >
>> > On Fri, Jul 3, 2026 at 12:50 AM Eric Rescorla <ekr@rtfm.com> wrote:
>> >
>> >>
>> >> On Thu, Jul 2, 2026 at 2:39 PM Orr Dunkelman <orrd=
>> >> 40cs.haifa.ac.il@dmarc.ietf.org> wrote:
>> >>
>> >>> Well, you are right - RFC 9189 should not have been standardized.
>> >>>
>> >> It was not. It's Informational and It's an Independent Submission/
>> >>
>> >>
>> >> I would guess that once there is an RFC that says this is the
>> Kuznyechik
>> >>> block cipher (namely, RFC 7801),
>> >>>
>> >> Another Independent Submission.
>> >>
>> >>
>> >>
>> >>> it is a bit harder to say to people - hey, this cipher, which appears
>> in
>> >>> an RFC, cannot be used in TLS, because we found problems in the
>> cipher.
>> >>> This is why whatever was in ISO _before_ the issues were discovered,
>> was
>> >>> left and not removed, whereas the new stuff was not accepted.
>> >>>
>> >> As a matter of policy, the TLS WG has a very permissive policy towards
>> code
>> >> point registrations, essentially only requiring that you have a
>> document.
>> >> The
>> >> rationale behind this policy is that forbidding people from having code
>> >> points
>> >> for algorithms is not an effective way of restricting their use. In
>> >> certain cases,
>> >> once the WG has decided that an algorithm is insecure we will forbid
>> their
>> >> use (e.g., RC4) and mark them as "Recommended=D", but we don't do that
>> >> as a matter of course for algorithms that are not widely used.
>> >>
>> >> I know I'm repeating myself, but this is also the situation for MLKEM;
>> >> there
>> >> is already a code point registration. All that is being discussed here
>> is
>> >> whether
>> >> we will publish an Informational IETF RFC specifying it.
>> >>
>> >> -Ekr
>> >>
>> >>
>> >
>> > _______________________________________________
>> > TLS mailing list -- tls@ietf.org
>> > To unsubscribe send an email to tls-leave@ietf.org
>>
>