IETF Logo Mail Archive

[TLS] tls-server-end-point channel binding for ML-DSA

Nico Williams <nico@cryptonector.com> Wed, 29 October 2025 04:48 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CF0C27DCFB96 for <tls@mail2.ietf.org>; Tue, 28 Oct 2025 21:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A46WKaXYl8_4 for <tls@mail2.ietf.org>; Tue, 28 Oct 2025 21:48:28 -0700 (PDT)
Received: from toucan.tulip.relay.mailchannels.net (toucan.tulip.relay.mailchannels.net [23.83.218.254]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 094407DCFB8A for <tls@ietf.org>; Tue, 28 Oct 2025 21:48:27 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4EB22461AA4; Wed, 29 Oct 2025 04:48:21 +0000 (UTC)
Received: from pdx1-sub0-mail-a401.dreamhost.com (trex-green-1.trex.outbound.svc.cluster.local [100.121.87.108]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 05380461AE1; Wed, 29 Oct 2025 04:48:21 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1761713301; a=rsa-sha256; cv=none; b=PWchKLkI6IuoxwViHxvmuccsY96L/k5xPk5Pj0RaIDfSr0tCgWOnsmB8F7F1mk0Q8Shr7d 7SsrswCoFCtIHiCLJBr9KBTDCzTp+OsQbReHLeIS8uc3hiXpu3XpCbJb2SkrDOQrofOYOS 05EqdwB/qMfdIVipKMdC3kFyJ4fA9z6maBhQ+cnR77TDKR5u5yfz+TcOhkvtc6gJ8IPsHF ZWxuMr4M4MzOqCvr/+C7Nbbw9rsysbZ4lOoOvHvy4tTeF75A1eTL8tuZu9/oIQCgdGrhwh jt4SPpBuAQSwoBEd5fo/VS2n1LILdhgj61b3laT5VLv/3hdobsGrqBy8vl4Npg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1761713301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=xpTE4b8UpJGw+aA2zm0BCVHJJOKIPwOjh+N/pkESV3Q=; b=TSQ9TwoAvFEhnb4P3hjYAt8+hE3b/1Z6L0/VHpOCnaRWzDNPVuPnccQ+n0bVHObz1UO2n5 QG6h/Dd6pTMoauDT6v9pcAzc5HS+G26asGnxnF9+OTo6Ms+dUPTeW1bMqG/HLUSNsWEMDf 6iAlTJS3UJWmYm0J/WVmbVMrBvzenUpDdfE8iGbypWZzg6oiN8x0KLDBLuqR8AS+WfD4VQ kSePFce47kiGxuXP8dFd/TSMT5iBhEUq3BksoP3vGNWnm5sFSRo9tvgbxzElNy8VVkmn0F BOxnPbDPx5aq5hwJ8/7gnQttjF+ZApz7sBGr1SM8drF3cgT5sAWWmaLD7BLS7g==
ARC-Authentication-Results: i=1; rspamd-77bb85d8d5-4s8k7; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Well-Made-Occur: 5258bf4252c5758d_1761713301215_2304691180
X-MC-Loop-Signature: 1761713301215:3722866319
X-MC-Ingress-Time: 1761713301214
Received: from pdx1-sub0-mail-a401.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.121.87.108 (trex/7.1.3); Wed, 29 Oct 2025 04:48:21 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1761713300; bh=xpTE4b8UpJGw+aA2zm0BCVHJJOKIPwOjh+N/pkESV3Q=; h=Date:From:To:Subject:Content-Type; b=I/GsPv++OI8ciytPriZFIJKs5WQpObHHLUfjmd4nzCTONr5Y51+FF+xr49EkLBN3t niWTRlkTJ9lqXRd2S3EhgvGhOCFb4bgiv0dbRj9xBjsG0GaS51CB01u6mqECkR8bpJ sCBBlfU8s0TahVOX7HqlsVZL+Dsl5dGCQHi6zdHjecN/6XLGBNEAUX60ZRt+UR6YWS ELTSIRrBcDhW8byEJs1f69WRvU6688W8+GyDe6fW4MaUQCydLHNpKPx6qlyx76Egs2 Isy6PUttOucPZojX9l2U9hOpqmI8JzE5+XAKbp/HAaGTa+xMSg9vqdIrR1IsIwaCsV jfanfPTFmx8gg==
Received: from ubby (unknown [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a401.dreamhost.com (Postfix) with ESMTPSA id 4cxF9w3nhlz2wMs; Tue, 28 Oct 2025 21:48:20 -0700 (PDT)
Date: Tue, 28 Oct 2025 23:48:18 -0500
From: Nico Williams <nico@cryptonector.com>
To: tls@ietf.org
Message-ID: <aQGcki4qQ7S0SzT7@ubby>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="l9uWxMu6xM6LYxgX"
Content-Disposition: inline
Message-ID-Hash: J4K3IIJQDQAPPEXTTSEOCBRMVESUHOMU
X-Message-ID-Hash: J4K3IIJQDQAPPEXTTSEOCBRMVESUHOMU
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] tls-server-end-point channel binding for ML-DSA
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CEaZg1l-4iVg0_wdEr5_rXfGYWc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

A post [0] to the pgsql-hackers@postgresql.org mailing list 8 days ago
points out that tls-server-end-point channel binding for ML-DSA is
undefined.

[0] https://www.postgresql.org/message-id/CAFjYY%2BJCCQeh03nzVG6Rs9MUgU_kOvhMbNaaS6kn_c4CcAZkTg%40mail.gmail.com

Basically per RFC 5929, section 4.1, if the signing algorithm does not
have an associated digest -or has more than one- then
tls-server-end-point channel bindings (let's call that TSEP CB) for the
connection is undefined:

|  o  if the certificate's signatureAlgorithm uses no hash functions or
|     uses multiple hash functions, then this channel binding type's
|     channel bindings are undefined at this time (updates to is channel
|     binding type may occur to address this issue if it ever arises).

ML-DSA indeed does not hash the to-be-signed data, though it does use
_two_ hash functions internally (SHAKE128 and SHAK256).

The HashML-DSA variants do use a hash function (each) to digest the
to-be-signed data, but using HashML-DSA just to have TSEP be defined is
not satisfying because not using ML-DSA to sign certificates is not
exactly an acceptable solution here.

Surely there will be other signature algorigthms for which TSEP CB will
not be defined.

What can we do to fix this?

Options include:

a) update RFC 5929 to use some other hash function from the TLS
   handshake in this case

b) update RFC 5929 to specify a default hash function for such cases
   (unsatisfying unless the "hash" function were the identity function)

c) update RFC 5929 to create an IANA registry mapping signature
   algorithms to hash function for use in TSEP CB

d) define TSEP-<HASH-FUNCTION> CB types and let apps negotiate CB types
   (also unsatisfying: because apps generally do not negotiate CB types)

e) ask CFRG, NIST, etc, to always specify a function for use in TSEP
   when specifying any new signature algorithms
   (this could take a long time to achieve)

f) ??

(a), (b) using the identity function, and (c) all seem workable.

(d) is right out, and (e) could take forever, though (e) might be
desirable for other reassons.

Advice?

Nico
--

v2.38.3 | Report a Bug | By Email | System Status