[TLS] Re: draft-connolly-tls-mlkem-key-agreement

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 14 December 2024 07:59 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19113C14F6A0 for <tls@ietfa.amsl.com>; Fri, 13 Dec 2024 23:59:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqmNzy7U8UML for <tls@ietfa.amsl.com>; Fri, 13 Dec 2024 23:59:33 -0800 (PST)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53094C14F693 for <tls@ietf.org>; Fri, 13 Dec 2024 23:59:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1734163168; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : from; bh=pa2x49SOsYs839MBYn5ADU4kG9eTHeQTgDEXaxjpmE0=; b=fFx3hw8vkWlLLfzl6ZEytxbM26xZEIVj8obrerrNssQHLam2A1dRwyJyder7Q8+FCCGKs tXxgnFLBVzZywutSP3X34NjW/6QCmu4T2pw6Rua0vMIh9gime1gD8XOoj67Rj1meTNLQLMA QR1Q4gWqhm+j1bYnfstN2x4w8XU83z0=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id C5A7692B6F8; Sat, 14 Dec 2024 18:59:28 +1100 (AEDT)
Date: Sat, 14 Dec 2024 18:59:28 +1100
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <Z1064C9u18E-zRcd@chardros.imrryr.org>
References: <CAChr6SwZ4ZpsaGGin-mk90CSXKis7Pe5J-2Um5tiaxBHwKRTQA@mail.gmail.com> <20241214021528.652899.qmail@cr.yp.to> <CAOgPGoB8w-vjVckdnE8T5M=Pw8H-GeVyePWFiUTUWXDp9akCSA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAOgPGoB8w-vjVckdnE8T5M=Pw8H-GeVyePWFiUTUWXDp9akCSA@mail.gmail.com>
Mail-Followup-To: <tls@ietf.org>
Message-ID-Hash: ZO5ANA4QVCEABKJISPO4QCON3HODHJSF
X-Message-ID-Hash: ZO5ANA4QVCEABKJISPO4QCON3HODHJSF
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tls@ietf.org
Subject: [TLS] Re: draft-connolly-tls-mlkem-key-agreement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CvC9VlgnXdF2jh_Ooqex0_bhaN0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Fri, Dec 13, 2024 at 08:24:24PM -0800, Joseph Salowey wrote:

> You continue to violate list policy with unprofessional commentary on other
> participants' motivations and repeatedly raising points that are out of
> scope.  Please stop this behavior.  This is the last warning before we will
> take action and temporarily ban you from the list; see BCP 94 [0].
> 
> [0] https://datatracker.ietf.org/doc/html/rfc3934

I personally find this threat excessive under the circumstances, however
forceful, or insistent on being heard, Dan may be at times, history has
shown that he is often enough ultimately proved right, years or decades
later.  However "inconvenient", IMHO his voice should not be suppressed.

If his strong view is that pure PQ KEMs (probably not just
ML-KEM/Kyber), are too novel to be responsibly relied on without a
classical fallback, then he should IMHO able to forcefully make that
case.

If there is nevertheless a demonstrable plurality of reputable
cryptographers on record as saying that *pure* PQ KEMs are (despite
initial implementation bugs) strong enough to move towards deployment,
then Dan's view may not prevail, but I do not find his posts to be
beyond the pale.

There were also (with IIRC Dan instrumental in bringing these to light)
some early side-channel issues in AES, that AFAIK still apply to some
reference pure software AES implementations, and when used securely, AES
is hardware assisted, or slower if counter-measures are implemented.

The AES issues were unfortunate, and ideally would have been identified
prior to standardisation, but proved "fixable".  If we're in luck
that'll also be true with Kyber, but arguments for some caution don't
come across as unfounded.

-- 
    Viktor.