IETF Logo Mail Archive

[TLS] Re: WG Adoption Call for Use of ML-DSA in TLS 1.3

Eric Rescorla <ekr@rtfm.com> Wed, 16 April 2025 03:18 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id F33F91CBE0B7 for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 20:18:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id djoHOXvilGTV for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 20:18:36 -0700 (PDT)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 52B181CBE0AB for <tls@ietf.org>; Tue, 15 Apr 2025 20:18:36 -0700 (PDT)
Received: by mail-yb1-xb2f.google.com with SMTP id 3f1490d57ef6-e717c3dab43so1048964276.2 for <tls@ietf.org>; Tue, 15 Apr 2025 20:18:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1744773515; x=1745378315; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=j1tBIBaJXXsofP+rNsSyR2hfNpBjPXWbYghyL+WRstw=; b=roOVijX/qrE+H0q67F70+4d8UUmlniPE9icu+etbgY8DobtN3xF5VdHM2WgB6t2BsZ 0mPgEEsE4a8hfFTUb0blRZa0L2gFIhkTHM/kS75xthIiTZpXaZxcDbsuNR7atN7QzX76 RCDOXByoupagmv2cW6QVF3s0Pp/ZFnpdYlVkCC+3eqCEYpidojZFuZyE0G00HcfKW0AK UMTRdmxs+os0nARK5zULObWlydIVBetDLKH4nyJlK+HH2t/cXYS1VzFxBk2CRTUeqxNR oFO0I/M3yOT4PxCOorEzdJ8fs7b4VH8UUCkfoI8fblWeu7lDbjJZvUb+pqWc96ud9nDy nXIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744773515; x=1745378315; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=j1tBIBaJXXsofP+rNsSyR2hfNpBjPXWbYghyL+WRstw=; b=jqcCtf4WgrzmfgtmhA+GamB99561y0JKlScdVi2j7jKcOsyO/01T4pB5IAUnZkRxD1 a/umtbicWDio1x5ndBNezgtX6TDzXBJz+hrIPBCrR/lhuQr2glPhnksO9L2MOA3XSUhp RJOS+8KWK4Wr2VotlLIWY1McLoDM99OuQkCCOi3jAkvq62704q1CiRVd5WvN9tHNm4d6 VKa1UDytE0+8dSqu3AXN/vqCNuQOLO32c5QmIkaD284wg10fo0N9htJOR1juyTwMHKOj yKrK69P1Tj4HgRyPeSUjMJiR3RZvovMXN0ZAaXiKVJZvkRWKC/zAVXzylxES5b4QZ319 uYLA==
X-Gm-Message-State: AOJu0YxQGNFaXcLaQ4rjOhQhN5FjCn8Iz4dxdV5aDYJ2f8s4o9SwZoTF pM7U4Du9X9/k4HtwJbXyUEBADqAN1tRYZFJRi3x8J0OKvvlatklqeLLjaouXCWGRStI5BDzzRRO OAsEhOUKPzJ1/XJi42AuBbMDATJocxx3R8qoGoxJSsj+NGBya
X-Gm-Gg: ASbGnctYic+LCAdwRabtRLmZvxQcIJB0i5wLjjcTRNSFFnyPmepdoSb2AkfcXgVzfRV mvfSwxMtZGcuUF75sP1kyfop/sSkLbhiTAt/nGhy+dZY1cFur2WJfOOmZukQwXz82sp5RpMZHZb 0HePMuIIOllN/y3DBOj9ErXLYm
X-Google-Smtp-Source: AGHT+IHq7TiGrCc8ZC2Dkue5DByisBt8oo/XPnp9GEpGcwRHOfCvRSiUpHnuwKJxrZd1R9wUhTSesaOc1zwsnWfJbkE=
X-Received: by 2002:a05:6902:2803:b0:e63:6f18:9926 with SMTP id 3f1490d57ef6-e72758ef0c0mr273351276.14.1744773515332; Tue, 15 Apr 2025 20:18:35 -0700 (PDT)
MIME-Version: 1.0
References: <07CB46EC-758E-4204-901A-CC8812B33A5F@sn3rd.com> <CABcZeBMDKGQtMMaKASsV74U7p-vXQr8Fj+AbqAjHwpsQJY_B9Q@mail.gmail.com> <CAAWw3Rg2jOfaSchktEMrhZUM0Cxpx7eL3o-ByZJi4U3ebw76YA@mail.gmail.com> <Z_8PiDxbGps_UZIL@chardros.imrryr.org> <CABcZeBOMioMRdW+Dg5zZgdMf9fFisNLTnm-ai+kfcgr9skgssQ@mail.gmail.com> <Z_8c0vBEvNbrPZNo@chardros.imrryr.org>
In-Reply-To: <Z_8c0vBEvNbrPZNo@chardros.imrryr.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 15 Apr 2025 20:17:59 -0700
X-Gm-Features: ATxdqUHGUzx2y1Q-fv_lykwwDPD0nfSACHhkZg5FrOycIIw7Y6x98KSYA_MDKZI
Message-ID: <CABcZeBMbhFYMGQespmhSbXTqxoZKOU5iUshvDbp9acReNe2L5A@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000986cc10632dcbdbb"
Message-ID-Hash: QRENGUTKETBFHRRL2YLSYFDLZATQ4SE2
X-Message-ID-Hash: QRENGUTKETBFHRRL2YLSYFDLZATQ4SE2
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Adoption Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EzDUUGG8ZS5q7C4DH1ol5mWt64s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, Apr 15, 2025 at 7:58 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Tue, Apr 15, 2025 at 07:30:25PM -0700, Eric Rescorla wrote:
> > On Tue, Apr 15, 2025 at 7:02 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
> > wrote:
> >
> > > On Tue, Apr 15, 2025 at 01:55:35PM -0700, Andrey Jivsov wrote:
> > >
> > > > I don't think that standalone ML-DSA should be adopted.
> > > >
> > > > There is time to move to a non-hybrid X.509 and digital signatures
> in the
> > > > future.
> > > >
> > > > This topic has implications to availability of X.509 certificates, as
> > > > there is a real risk that CAs will prefer standalone ML-DSA to the
> > > > exclusion of hybrids, and also that other protocols will be limited
> to
> > > > standalone ML-DSA.
> > >
> > > But CAs do not choose EE keys, the key in the CSR is chosen by users.
> > >
> >
> > Well, yes and no. CAs, at least in the WebPKI, will only sign keys that
> > are allowed by the CABF Baseline Requirements (which, AFAICT, do
> > not allow any PQ algorithms at present).
>
> Yes, of course, CAs will only sign those user-requested keys that they
> support, but it is still the user (be it a bot the user deployed in some
> cases) that chooses the key algorithm, from the set of key algorithms
> supported by the CA.


Yes, but the CAs are historically quite conservative about this. You'll
note that CAs still don't support EdDSA, for instance. So I don't think it's
actually a safe assumption that CAs will support both ML-DSA and
ML-DSA hybrids.



> Market demand and stable specifications will
> determine whether/when CAs will support hybrid keys, and users will
> then be able to request hybrid certificates.  I don't see this adoption
> call as a plausible barrier.


I agree that this adoption call is largely irrelevant to what CAs support.

-Ekr

v2.39.1 | Report a Bug | By Email | System Status