[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
Sophie Schmieg <sschmieg@google.com> Mon, 20 October 2025 18:32 UTC
Return-Path: <sschmieg@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D2F1A7884EC0 for <tls@mail2.ietf.org>; Mon, 20 Oct 2025 11:32:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JWlcj5e1QlHd for <tls@mail2.ietf.org>; Mon, 20 Oct 2025 11:32:17 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 95E3E788438D for <tls@ietf.org>; Mon, 20 Oct 2025 11:31:48 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-587bdad8919so1217e87.0 for <tls@ietf.org>; Mon, 20 Oct 2025 11:31:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1760985100; x=1761589900; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2bkS48nxDJxgtLqg2bsuAov3ydqR+Fm0AeTatw6fYM4=; b=4sQR9/RimF/tv54IHEjuUNaz0FMJh9+kF2beE4HY8gHMRnZ+wBqMBkgo5nc7/8gUZZ DIQXwPzKOp1bodmaaAqcTHDGy5V3nHXejufFUTwJq0cVYwfvbAOjoao+bBI3+fL6HHPu KzDcPpvjzIKstYtjMtIgqSzFHHi31CpYNKpPOfPLIyTS204ArXv2lm8A/f7ahWpR9RUv CvxhyOVD9TO4ZmT6b52gIX7GqZz0O+gYpykQCEvU9UOdI5K7hAVqGAL3Fa51SpCCQj9M ur+8tYo+aFjTgGlVfdlLZ9oRCLzXvT88Z6+V0+FIG1yRoeh9MG08oBzBMIOTOU0BRv6w B7FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760985100; x=1761589900; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2bkS48nxDJxgtLqg2bsuAov3ydqR+Fm0AeTatw6fYM4=; b=m0b3JKLaB2A6pVvdTow94ra9yO+60CK0pIep9uI4plf3cc85cmLSliiNls0/EevTg1 CQkh3GfxVGjGUSHQEu6NZmnpC8/MtvhvrJ5E82ion4vJW5FvbiPkmKMeTaxXFUMbevhI C46d7eh1mqiOoBXIz36Ch/u4bKs+UEXuBoG0awitHnbZ1WeG3XGdswBXdxm8k3UDA4NK QLghrxi9qF+VUjGPoOi25Zr/Csi4VUVXdu/2t8l38DuuT2uPsOvWkNvzXeyomdYukVD7 vIbOxLGNZvR/96rOmace8Bgbn0xjRVy4isw//3pf+zZV/41SrIyq3EIiXHwz7RGPtDJN cbqw==
X-Forwarded-Encrypted: i=1; AJvYcCXYn9QBvWPdtQtG9b3GCgEDfbDzBKpgvtB/R1u+iIDe/Ca0DXu1xW9qksxWpviHaji2Rio=@ietf.org
X-Gm-Message-State: AOJu0YxwcoFBZ7JAO1s3bfgQCvMZ3S9lOa6kJfnl8vjWPfK1ke0R1vLT P4u9PNFn6BLphNQbjzOPeT58ooVH3IDIVIOoOcKbx9xWUCnK35LAJGtFPJ0PfatO9uR/JqFxuNc XjTJpVpsdG85g7VADC5Pv9mNjKNklEECXjLJbtiMGIlz2TW7sEN079ejF
X-Gm-Gg: ASbGncvo1PPXpKGE28LkCqXMynQPVtgGAMFjXQ7VnBfghZBhd7XGM2vqKROWFvw7S1Z aEECeYv0BYY5k7rj0J0jZhWCAKAU3UALitkHTzYoMhWEmMCIPtTKKnNjx8EWVyRzdyeCrxhEzbh iZLI5L1nJzGGlRwIBw30iTb4YxKYSCwBrNG86OtenegpG8OTkfFV76/bSG/zbdzCcp5NGI681AD jE4eyK1DM3WVyQp3ZRIE8NIr9jWuQ98u93ehvcDD40jL2HNRwCN7XQlJcSfRbk+665SBFrhXnJ0 5ZRBaGhxkP+iWedZXs30YvUZ1BEo5g==
X-Google-Smtp-Source: AGHT+IGxu06iaZWliiKprJBvBNU+uShs3yQwKSrlWBDS+y4nHQlWl/f2GgKtnV/6knoeWAfLJOZpEZO8Smt6H6/KEH8=
X-Received: by 2002:a05:6512:15a5:b0:55b:9f89:928b with SMTP id 2adb3069b0e04-591eaa2bd0emr32215e87.1.1760985100185; Mon, 20 Oct 2025 11:31:40 -0700 (PDT)
MIME-Version: 1.0
References: <GVXPR07MB9678ADD1D3268BB055751EA989F5A@GVXPR07MB9678.eurprd07.prod.outlook.com> <CABcZeBOH289QVSZomDfE8dUK5oB7kM0i_66s3S260WOjyTp4kw@mail.gmail.com> <871pmxip86.fsf@josefsson.org> <a0d3380c-28aa-4669-99d8-0567355cf23b@redhat.com> <877bwpd0r6.fsf@josefsson.org> <b3a9ca6f-97b0-4627-8b25-8ad7dd609a36@redhat.com>
In-Reply-To: <b3a9ca6f-97b0-4627-8b25-8ad7dd609a36@redhat.com>
From: Sophie Schmieg <sschmieg@google.com>
Date: Mon, 20 Oct 2025 11:31:28 -0700
X-Gm-Features: AS18NWBRwCcBl7HrJJ-G3d0FoFuVxbUB5ptrjPgxvDEXZmaDghEcSlYmhxUac9U
Message-ID: <CAEEbLAaFe9tZyov27pR74uUVcZ-_G9YB_-fxYUyvA3gBiCeebw@mail.gmail.com>
To: Alicja Kario <hkario=40redhat.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005ae32e06419b4be1"
Message-ID-Hash: MCN2J4K6DAPPSK4QKPDCTZQFJ6QFUGRI
X-Message-ID-Hash: MCN2J4K6DAPPSK4QKPDCTZQFJ6QFUGRI
X-MailFrom: sschmieg@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8UeiU09n6hkRXz2zaZitHqoEL38>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Note that this is discussing the key agreement to begin with, so it would be ML-KEM in any case. And again, I have no strong preference on any of the flags, MTI is imho meaningless (there is no such thing as mandatory to implement, since no enforcement arm of IETF exists, thankfully, so implementers can just not implement something if they don't want to), and the RECOMMENDED flag is similarly undefined, as has been argued back and forth on the list. Let's just ship it, please :) On Mon, Oct 20, 2025 at 10:14 AM Alicja Kario <hkario= 40redhat.com@dmarc.ietf.org> wrote: > On Monday, 20 October 2025 17:57:33 CEST, Simon Josefsson wrote: > > Alicja Kario <hkario=40redhat.com@dmarc.ietf.org> writes: > > > >> If that classical part was good enough to be MTI and stay as > >> Recommended now, it should be good enough to be part of the hybrids > >> too. > > > > I disagree with that, if you imply that the P256 hybrid should be MTI. > > > > So if old DSA was still MTI we have to make DSA + ML-DSA MTI too? > > We're not discussing if any of the hybrids should be mandatory to > implement. > And what is the purpose of discussing alternative timelines where DSA is > dominant? > > > I think we should make decisions about P256+MLDSA based on today's > > knowledge about P256 and MLDSA (and the combiner) rather than having > > necessarily make decisions that use earlier decisions on P256 as a least > > common denominator (i.e., MTI). > > And what did fundamentally change since the P-256 was marked as MTI and > both it and secp384r1 curve were marked as Recommended? > -- > Regards, > Alicja Kario > Principal Quality Engineer, RHEL Crypto team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschmieg@google.com
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… David Adrian
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
- [TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
- [TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: [External] Re: Working Group Last Call … John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
- [TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
- [TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey