[TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM
Joseph Salowey <joe@salowey.net> Sat, 15 November 2025 22:33 UTC
Return-Path: <joe@salowey.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 920A98A34B0B for <tls@mail2.ietf.org>; Sat, 15 Nov 2025 14:33:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NvDyo4dIGXRg for <tls@mail2.ietf.org>; Sat, 15 Nov 2025 14:33:32 -0800 (PST)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 073488A34B00 for <tls@ietf.org>; Sat, 15 Nov 2025 14:33:32 -0800 (PST)
Received: by mail-pg1-x534.google.com with SMTP id 41be03b00d2f7-bc17d39ccd2so1686068a12.3 for <tls@ietf.org>; Sat, 15 Nov 2025 14:33:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1763246011; x=1763850811; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=oQXT+J0Oj9ki+Rv3vP18CTn26kpMnqNrY9igYcCDDHI=; b=Svz8LTEu7o4a91vmzooXeRtiUX2uGEgyivk3Dl+qbUDf6CTlE+MUAP9bZbHp1Da1Pl oiPTY0Wz3U6E+RDWoIePeQ0WyLWZHExcDxEHmwENvWiKQnrVwBvG2TUs/gssLtNNhHm0 vvnuyoSapzB+hxu+iLc89RwYTSDCzw8QhUEcAGsvrPyox11MTLGC+FxjAdIn8WCM5nhs gsts31Vfga8Y0MZB/bRL7qD5eEXXoPlawC8AgiHMWGvFKTuLFPbook7rAaVXp0MaQYpZ v+7iWV6SjeUpB+z/lNnEFnNgwrmtizr7KpESPhS57SjW5Hg4SMmIvg47rYNA0WEqBRw6 WzVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763246011; x=1763850811; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oQXT+J0Oj9ki+Rv3vP18CTn26kpMnqNrY9igYcCDDHI=; b=kRUVuWV4blw/1Fbl1MifVxGtxWuxnn6dA8poobeg6EbDDAmqK/yUVvXH6/JFtpHRRE 6c1NmvVjVnsC1JVBil4Mt0qg8v3UnJb43VbkmxIYAnHDwnRzS/u7Yh9Ttc1S4CVOjr2Q afzb2elpwjxI8xbCduChPM082uDdnAJoQJSG+Qd2WeKAg+RwnrKGac2HqQx3Qb48wUNq QtGv6KiuHCCfR89hQHzG2pIlyfg9X0dr0SaaHwoy4op6Cg5UYLyC2kmmo3bvyowRoQ9Y At3H8Kvhr2X1Lu8PAAL1FZ97k4E1hGL9HCdTkAk41WDRrc3nZ5NE3Wy/ZbPm/SyXlO+X EwDg==
X-Gm-Message-State: AOJu0Yz40VbFirBjSmlbBEjCpVavMya4+qCe9WwDxuPpJNqHnUhfmZKM q0F33n7tyaDnn5IMYodVmmrbvNcS+sjYOFDqs90/gLi1mfFs+58njP/rvnUrXPtgwAV0oJPu+ih pQzh6Yf9NlMKQuJ1/XHvDst9vTi8GveQWuDMpnEbejjmItFZBxydxFJ0=
X-Gm-Gg: ASbGnctBYev3PViNBCI0tUT/b4p3b2Y1Z1fxxBxTHmIMvhIWQOIIGPnH5Y64BtuWpdz acrkgrE8ohsiyFu1Pu1cwcnBtxEJIifOqTPYk/kcRuWOYXoTeRxBuWghJEmb6HvQsv/4+GrRdTR d3+pikyWFLWBzSmq3ChdWrxg+zJSPKAeai6ruFwThPYN3bvMOzBsEXyPwfrS59tMGIuW3dFwnL+ Qu9P0gkUBw5xy4J77ABpT8CmutbSzf+G/kTicF84fYsMyGA4YJxIGXaaiEV4Q4VZ1KKk80S
X-Google-Smtp-Source: AGHT+IGFAoV+A9pnDd3CtsDJZer9JHH5CW5FPG3Kkbt2ovhly7knQAJY8oWi/2JMW5nU5m+uPhxTorAbQOo/0H8fFe4=
X-Received: by 2002:a05:7300:106:b0:2a4:3593:4676 with SMTP id 5a478bee46e88-2a4abd97416mr3124100eec.18.1763246010734; Sat, 15 Nov 2025 14:33:30 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoDsX09SEUXr+Tq_m_5bs+erCLagSGMrAVohBRMqOkAtRQ@mail.gmail.com> <0bb9483f1bef258d67d543c300b1035fbca4680a.camel@aisec.fraunhofer.de> <0f353e98-3a8b-492b-8792-ee5f203a38e1@app.fastmail.com>
In-Reply-To: <0f353e98-3a8b-492b-8792-ee5f203a38e1@app.fastmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Sat, 15 Nov 2025 14:33:19 -0800
X-Gm-Features: AWmQ_bnaNdTeJc_sGelnI-r1mhsZ5PFpDrCuZ1PeX-W61wt_wV83tbexQwv_YzU
Message-ID: <CAOgPGoA8EmWsPQD6Svg9LhRB2XtYiPhCnwA37ddC3SJ67u0jTg@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001f256a0643a9b4c6"
Message-ID-Hash: BAOSPCVUGIO2PPCRVS6OLWAG62NHJEEV
X-Message-ID-Hash: BAOSPCVUGIO2PPCRVS6OLWAG62NHJEEV
X-MailFrom: joe@salowey.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ACz50B__sVR4jIy6u4v4_ewuFRc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Thanks everyone for participating in this call. The document will be updated to standards track with a slightly modified text in the obsolete section: PR - https://github.com/tlswg/tls-ecdhe-mlkem/pull/55/files Text for section 7.4: Experimental code points for pre-standard versions of Kyber786 were added to the TLS registry as X25519Kyber768Draft00 (25497) and SecP256r1Kyber768Draft00 (25498). This document obsoletes these entries. IANA is instructed to modify the recommended field to 'D' and update the reference to add [ this RFC ]. The comment fields for 25497 and 25498 are updated to "Pre-standards version of Kyber768. Obsoleted by [this RFC]" Thanks, Joe On Wed, Nov 5, 2025 at 4:06 AM Filippo Valsorda <filippo@ml.filippo.io> wrote: > 2025-11-05 09:15 GMT+01:00 Bellebaum, Thomas <thomas.bellebaum= > 40aisec.fraunhofer.de@dmarc.ietf.org>: > > > > added to the TLS registry as X25519Kyber768Draft00 (25497) and > > > SecP256r1Kyber768Draft00 (25498). This document obsoletes these > entries. > > > IANA is instructed to modify the recommended field to 'D' and update > the > > > reference to this [ this RFC ]. The comment fields for 25497 and > 25498 are > > > updated to "obsoleted by [ this RFC ]" > > To be clear: We are not freeing the registry from these entries, but just > warn against interop problems because everyone is supposed to use the new > code points? > > So the WG rejects "D" as a means to warn against non-hybrids with some > resoning that D is only "for weak cryptographic algorithms" [1], and would > group it "with NULL ciphers, RC4, DES, EXPORT ciphers, MD5, etc" [2]. > Yet, for some reason we are more flexible here? > > > The full quote from > https://www.ietf.org/archive/id/draft-ietf-tls-rfc8447bis-15.html#section-3, > linked at from [1], is "*This marking could be used to identify > mechanisms that might result in problems if they are used, such as a weak > cryptographic algorithm or a mechanism that might cause interoperability > problems in deployment.*" so yeah: "NULL ciphers, RC4, DES, EXPORT > ciphers, MD5, etc" are the former, this is the latter, and pure PQ > algorithms are neither. > > Anyway, I support this change. (I don't think the track of a document ever > had any impact whatsoever on my work, so why not.) > > Normally I would welcome the above measures, but the picture it paints is > that there are already some hybrids with "D" yet there are non-hybrids with > "N", so "_surely_ hybrids are less safe", which (putting aside the > important technical debate on this) is definitely not true for reasons of > code point allocation. > > I oppose this change until the comment fields are made more descriptive. > Something like "Concluded experiment, refer to [ new equivalent code point > ] for standard ML-KEM" would suffice. > > -- TBB > > [1] https://mailarchive.ietf.org/arch/msg/tls/bULX8Y0mPdmW5_d5Q5VTdupR4nY/ > [2] https://youtu.be/zTAuEx9Otys?si=5hllRBXbjkkG1E8o&t=1909 > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > > > *Attachments:* > > - smime.p7s > > >
- [TLS] Working group last call for the deprecation… Joseph Salowey
- [TLS] Re: Working group last call for the depreca… Salz, Rich
- [TLS] Re: [EXTERNAL] Working group last call for … Andrei Popov
- [TLS] Re: [EXTERNAL] Working group last call for … Eric Rescorla
- [TLS] Re: Working group last call for the depreca… Kris Kwiatkowski
- [TLS] Re: Working group last call for the depreca… Yaroslav Rosomakho
- [TLS] Re: Working group last call for the depreca… Kaduk, Ben
- [TLS] Re: Working group last call for the depreca… Watson Ladd
- [TLS] Re: Working group last call for the depreca… Kampanakis, Panos
- [TLS] Re: Working group last call for the depreca… Bellebaum, Thomas
- [TLS] Re: Working group last call for the depreca… Bas Westerbaan
- [TLS] Re: Working group last call for the depreca… Viktor Dukhovni
- [TLS] Re: Working group last call for the depreca… Peter Gutmann
- [TLS] Re: Working group last call for the depreca… John Mattsson
- [TLS] Re: Working group last call for the depreca… Bellebaum, Thomas
- [TLS] Re: Working group last call for the depreca… Eric Rescorla
- [TLS] Re: Working group last call for the depreca… Filippo Valsorda
- [TLS] Re: Working group last call for the depreca… Joseph Salowey