[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

Bas Westerbaan <bas@cloudflare.com> Sun, 26 April 2026 09:07 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BE99DE355EA0 for <tls@mail2.ietf.org>; Sun, 26 Apr 2026 02:07:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777194447; bh=mGw65OLMYegerB67nLbqOzWktk7a+qio8vFHuNBLNOw=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=JvHwKLW3HkS1rVRQ5CgbW8GctVMyXlFmxvgJ2TEKqkXEeMJcLGevK4om9ty0PiFDB /pV+tUDWwxLhuKsgxdlfQ3bgNcN+pfFylavysSQebcX/uXPUkmLstB4GR9ZKnUGGGq dYvZaRi12q8SBQzF0RAtsYUpcYduCRc65s4uTZiU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnsgfNjUb0GR for <tls@mail2.ietf.org>; Sun, 26 Apr 2026 02:07:27 -0700 (PDT)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3E558E355E99 for <tls@ietf.org>; Sun, 26 Apr 2026 02:07:27 -0700 (PDT)
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-79ab5fd969aso102545117b3.0 for <tls@ietf.org>; Sun, 26 Apr 2026 02:07:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1777194447; cv=none; d=google.com; s=arc-20240605; b=PC2UE1I50zPfIw9Qqev4AoTdaol4z6UxNef1z3GagOLpQkkEiRIkIezLLHS2xNj9iR ZDGEoYNXtR0VBZsyFJFKOZ+xoCtyjhGWVVXRQ0MHiHa95mBhXikrKY648yIFPI91crHH M18Q1stNc7QrGT5yOoT/zkwupr//kKXNCVQBGNBJlwuN/A9PPJHosSU90BX7iqIxR1nm 1SEHLeegd3nVEQTRZ2ytUas2Ia9T5I/D7zYkv4RvNlzaF246QppqJkjiBmzqieQ7yhxd Fq7ZbRuGugNrx+3jP6KdYBjpCDFyp8Kd+Qpu8uAdYgrdH6OVqdhMhQIP1CSJdUH/o+Qy UJDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=mGw65OLMYegerB67nLbqOzWktk7a+qio8vFHuNBLNOw=; fh=47iagf3xjofOlO9ECK+cSOUXgF7gUuKdlrDGFpYStdU=; b=K91stUxJsvCxQA4eMcc9R9P+M3yd+s7wDCFZEr3gFGEIUH04kfF0Pt85TuW2w0Wqkw zx0IfWnr0CTQzz1W7k/XWYPGT20dA3MIrhgRcVmAY+czUGcVye/+G5y6Nd/okqLadYfu g+tUwwr8mfP7pPUv916WT+Nn8zEtV2E6R1DTTHl7q9LAP2Ut1uBWJli96I9mjFqj63YV ufeE4BeIgg/HAF+vsyfGhh5k50modue0mAE7yo7WZeLzVIWbQBJJMe08VNazdusbXBI8 KTyxra9DKbj45Bokb2XUVs3C/MtU4epL0d6uboTBV3ees00LNkLCry74S9K0J1l25URp waoA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1777194447; x=1777799247; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mGw65OLMYegerB67nLbqOzWktk7a+qio8vFHuNBLNOw=; b=ZRvTIlKpbTaHc/Yhec2oU/OHoANRAPE1xJ0Mih2o8oHGiI+oONC8+BQwnnFadTJkln OxtsSmPq5NumsdY+lbKNWTtuItpN/0SQTrDU7FYYaePkhOFBJ7+5zz1Ov0C1l9qf90P1 Wgx17w15Xl4YwpZy7+HNp4bUkz8sm5Dtb3ZkkhOKA7s0+QNEbJ1Q9TkR0Q127ZtSeChB qy7GGJZ4h6aNplD9LreEJf519UCDKegKBiGioDm/zhdg2KlzkgpG8e5XOJ6l/u7wPNs3 PGyHnfw74QjBqbXGObMKMliGwIMs88hKW0WJL66q/W3iVy/shw9c37i8wSLZRXeoybay /aVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777194447; x=1777799247; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=mGw65OLMYegerB67nLbqOzWktk7a+qio8vFHuNBLNOw=; b=EabZuQfC0jKniWaz0RtrsIrPpyHjeV4lF13RVOo7yKj3hXr8WGvIFvTxQ6UL93rxTV OwPDf54y09mEvYjO6lPHmTWy83drmMRR4kiFHRGjmb7ivl1Rp9Lq6LfXyZpkWVXq3hE1 y74x4EmhKXvZ+YKObBM3qKFOrElk34R2BjTVxyUOyAm5aPJdyssesFvNJeam/JAho9o9 lm+9MLDC3CRwUs+ZaCVSOJzBnR3zRZ4ZJk5P3gosQMx5VJVKLK+FiXudvUW4wO6zvvpM G5o8mQ6KkDTvD32qJUzpArVAfUxitdmDQsP1nv2dr2qMEAiWOPmnzaVlzRQRyv4pAkIr +nUA==
X-Gm-Message-State: AOJu0YwSuJv+Pxmzdu8C4lHRgjHYjJJjxlBkLw3mSB0GGGcsDqL7K3KY ahHStprJzTFfiGOy9i4hTHM6+g9CmVgakhKXOWGLOdqW9uEDyjYDZ61p56gLwmFgsWklPchv8xl MTYuyWnDa3frR4pa2oQTKSWiU+QzQla6Rny2QlCowHiquIGnozSj9YYfYQuXR
X-Gm-Gg: AeBDietKqpthkGEpcGRYXfWRU9zOUSsARCgKyGez4HrKMO8NvczF3iiqpsqCIPfwfyB 2qc1Nj/VDkCjOrUeyMAWAdp8Q3rnchMZic9+EJ82BHcIqhap7y2VouZpmo1PljO5WktTI+tcGlY 7vZ7cabhwn3CPicXnPgJQbOsxjq/2y2cVVvdWCkh5vGRWyrNa77Hiure9WNdo6FGSSsY1B5Zxb2 JZIDMhJO6q7bNb3FL8c5CzrRblj8xjOnVtNottVIwvvMFK2BgyJD/PI25LqXRXptPQF8/1bBeHs IDzHZSaQBpwLB9ngpJM2LmvYEJBPqLGas4RbGIXHKVWWlU2PZGpKPh8fah2s3XfxkYrN
X-Received: by 2002:a05:690c:6d83:b0:7b5:a17a:6f55 with SMTP id 00721157ae682-7b9ecf322a6mr388090537b3.21.1777194446567; Sun, 26 Apr 2026 02:07:26 -0700 (PDT)
MIME-Version: 1.0
References: <16CF0FDA-7263-461A-9F2B-D37DBEAF5DD9@sn3rd.com> <d1e64f4d-13ba-4186-85d5-3dff028b62fb@appelbaum.net> <CAMjbhoXvf0PCXiuN2+-G-MSw6-C4vq3eHmjz+GF4dx2F=x-tfw@mail.gmail.com> <032e327f-57b2-428c-a9ee-99c004358e86@appelbaum.net>
In-Reply-To: <032e327f-57b2-428c-a9ee-99c004358e86@appelbaum.net>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Sun, 26 Apr 2026 11:07:15 +0200
X-Gm-Features: AQROBzA38x66_hJ9oQ8cclf1Fg69BvcugEnBgGwY5Qm7FGmrsTsAXwJXqux2dJo
Message-ID: <CAMjbhoURLc1qqjoCXdELKQsYC9ijh_EVgBaBqx3nCsccBNFxoA@mail.gmail.com>
To: Jacob Appelbaum <jacob@appelbaum.net>
Content-Type: multipart/alternative; boundary="000000000000af62b80650595346"
Message-ID-Hash: 3BEATS7JORKV67LXEHS3KAJN24BVM6TE
X-Message-ID-Hash: 3BEATS7JORKV67LXEHS3KAJN24BVM6TE
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6WwAWUPea2NHDofFLb0rAhcBUl4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Jake,

Adding reference to composites in this PR:
https://github.com/tlswg/tls-mldsa/pull/32


> > There is no value in deploying

> PQ if both ends don't support the same thing, and installing 20
> > certificates is not practical.
>
> Practicality seems rather subjective or at least highly contextual. Most
> of the HTTPS infrastructure would be impractical without the automation
> that is already in place. It is natural to extend that automation to
> cover this kind of problem as well, isn't it?


There are many other server operators on this list with an enthusiasm for
automation and not breaking their target audience. Let's hear from them.


> If browser vendors want to
> work everywhere, they'll likely need to support a set of cryptography
> that is global.


If everyone would accept all composites, then we can just pick one at
random. We can't because some are not acceptable to everyone. If that's
because of security then it's important to note that the verifier sets the
policy: it's what the browser accepts that determines security, not what
the server installs. Hence, if there is fragemtation because of security
concerns, then we must have browsers that accept some composites and not
others.


> My position is different. I do not mind a large number of variants, I
> care about the diversity of the variants, and other design factors. The
> primary and most important goal is to actually achieve security.


Your browser is only as secure as the weakest variant you accept. Thus
adding diversity decreases security.


> In draft-ietf-lamps-pq-composite-sigs the authors use the term Trad for

Traditional which is amusing and it fits. It seems that it would be nice
> if they also used the term Rad for the new, hopefully post-quantum,
> cryptographic primitives.


That's pretty funny :).


> One of the considerations is related to raw RNG outputs as I mentioned
> in my NIST comments that I cited in my previous email. I trust that
> you've read my comment to NIST[0] but if not, please consider doing so.


I trust you've also seen my comment on the same forum on the same matter on
April 29, 2023, hence it puzzles me you bring it up.


> Another perhaps more interesting consideration is to have geopolitical
> diversity.
>

I'd like to stay away from discussing malicious motivations as that makes
productive work difficult. I do hope you considered privately the question
what an actor would do that would have a keen interest in delaying the
adoption of PQC.

Best,

 Bas