IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Bas Westerbaan <bas@cloudflare.com> Sat, 29 November 2025 09:05 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 43C12925D8CF for <tls@mail2.ietf.org>; Sat, 29 Nov 2025 01:05:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i_q3jsY4-H_M for <tls@mail2.ietf.org>; Sat, 29 Nov 2025 01:05:29 -0800 (PST)
Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 46BA0925D8B9 for <tls@ietf.org>; Sat, 29 Nov 2025 01:05:29 -0800 (PST)
Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-787da30c50fso24547367b3.3 for <tls@ietf.org>; Sat, 29 Nov 2025 01:05:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1764407123; x=1765011923; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Rz4UQEeojQuoBW3TukV11AMcXuKZmC0/SKvngwBfQlE=; b=Iti6ZHhCc1wanU1FtPYOugZchI2bLQCSGOqYSeeaHXhUP1Sd8X9HtE8Qtzs68BE59E H0efjwXpxVw4B75bIg0V+HZSIDNDiDSlzeUVPulCDv95I6ixDDSCNYi+AiZChXI2ZpLM tF+4bhWVvQ3kAp3jDCtNKmpQMit91ijrA+R0tkGg01ViM8rEzXLXNLokj8jqAEMaANA0 wE/8ytIr3IYo3ydALNVT4q177wtKI2N6wYO2gJxxgcwgchHaTMcAGH+Kj8/93aoHOe+E 0YTtlC8cW+Al9R0jgaX96dQ+iBt28J0hDVkbzEbNIOQ0oft2yvI6iMqDD/olJ0Ke9UOV sw0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764407123; x=1765011923; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Rz4UQEeojQuoBW3TukV11AMcXuKZmC0/SKvngwBfQlE=; b=WCCEzI9GmmPibL/+8YL8yp9G/rJSuyLpEcMUxnJMceRMI69i7FDbUCscPF2p4Cee6G OAFxepAnP/AJFrFwecSekYJANppS5pqs5ys0+WiLEhiC6lH2wd1R5L05mPeO1HDagmqG AQ5haJlo/ACxVbGGOX2RD5toDY9mR/4ZFTeKLeyaICMa6VALL+pmvRz/AjXtH1EgSxE+ HB+WU+eGCdkQ2IWcVrhuUSGj2A2VKTjhYprvvdK1XsoVN9ZNF+24d7vzr1Mrj+CWH1c5 fHbzGU3xMQWqg944cOwQ6UjZZm1F3KtdK2+EGHw6lhVm7qCMbB5nsBV7R36v+9JEjuy8 9qhg==
X-Forwarded-Encrypted: i=1; AJvYcCU/yzNeWF3O1FkRx4jHVdgEny1MK8BLZjEYf3VTBLCRBzDrWRHQ/gRWUPLptV5sP2eCtfI=@ietf.org
X-Gm-Message-State: AOJu0Yxj51I+35L5n72CoSjkwg7XjAnMH2GJbhEvVCN2DsoJHiqilFdx n8CgqLY0FFGTZpwbeoDNydHTSmor65gf76bo3sE4jlsOzFxFtSVNMbtZOuxmEZqUcYVDSpDyaiV M+sCTw4ylkmDVvqIJS43EzG9feDA5EMf4J9BdvW2OGQ==
X-Gm-Gg: ASbGncufJiEdLcVoLzScbqTWFYJui2leY/dkoxGVkUp6wYcNwIsA5BL9myvXYH6D5xc A76C5yP8TvNYB02UKgJUgXFl4ayrJPi37M2ssNrf33gr2EmLr08Ga3CtfVQ3pH/3hVp+Hyj2DVj Jt1NlQ+LnEJDhN5+RExqA9S5aQuZEZhU0clQI8HIm/8lhDqZUiMASS54Iab9AzmxquZj06pcFk/ tT8iShU/evya/TVFmZwez4jgskQIEE2A3raHR6ndIlrE1dPRxA6174qpnEAKxYI2hX6YWR0FJSb hjYsSxOTHFtO7h789OcjGg==
X-Google-Smtp-Source: AGHT+IHqMCTuGu78zwQ9dpV4epIHbDHvWS/tTj/B9msjjk6Kh8LQbh4Q/MBIA6WD8SLhz0KwrcoW9xuLv7ibg/rO/cA=
X-Received: by 2002:a05:690c:84:b0:787:f2c3:7164 with SMTP id 00721157ae682-78ab6b89859mr310747647b3.0.1764407123344; Sat, 29 Nov 2025 01:05:23 -0800 (PST)
MIME-Version: 1.0
References: <GVXPR07MB9678B44C77FACE5495ABD97789DCA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAFR824xWR2xQmTF20JKyFc-wDoOSYHCc-MLizqV5MABTGBwcxQ@mail.gmail.com> <GVXPR07MB96789138C31A816AA0E5CA4089DCA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMjbhoVpZJ-8HJdSK46eSyDFX=bYdMGv7oXeOaf8JipqNOCw6g@mail.gmail.com> <GVXPR07MB9678611D40CB948FA27D911989DDA@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB9678611D40CB948FA27D911989DDA@GVXPR07MB9678.eurprd07.prod.outlook.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Sat, 29 Nov 2025 10:05:11 +0100
X-Gm-Features: AWmQ_bmdMOg30tlKR-Z7g6HFpZCOrCuSzgLV-3U1U1GKkMpOpgQCoe9VynZpOLA
Message-ID: <CAMjbhoVzKPCtqfZgcb68Ux3wBrJxvCe0CvTJB3s-Z_O8MQKWAA@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d407190644b80b9b"
Message-ID-Hash: PHVL6SBHU2YANFCC55YZ6SELFCMM5GQE
X-Message-ID-Hash: PHVL6SBHU2YANFCC55YZ6SELFCMM5GQE
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HR46o1WJ1FtEdiFjyCwOZqpEqxw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

>
> But HRR is only a short-term solution, long-term I would like to not
> support negotiation of standalone ECC, and a client advertising suport of
> X25519 and then closing the connection if that is actually negotiated is
> not very nice and to my understanding not compatible RFC 8446.
>

I don't follow your line of thought here. A client can send no keyshares in
the ClientHello, and only advertise support for X25519MLKEM768. That's
compatible with RFC 8446, no?



>
> Cheers,
> John Preuß Mattsson
>
> *From: *Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
> *Date: *Saturday, 29 November 2025 at 05:16
> *To: *John Mattsson <john.mattsson@ericsson.com>
> *Cc: *Deirdre Connolly <durumcrustulum@gmail.com>, tls@ietf.org <
> tls@ietf.org>
> *Subject: *Re: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends
> 2025-11-26)
>
> I know John is not talking about the public web, but I would like to
> mention that there we do have fragmented ClientHello even with ML-KEM-512.
>
> John, I'm curious: how well is the HelloRetryRequest flow supported in
> your environment? That is: advertise support for X25519MLKEM768 but don't
> send it, and then have the server ask for it using HelloRetryRequest. In
> our experiments to origins, we didn't see any issues with this flow and
> enabled it by default. We did see some servers that do not support PQ also
> not supporting HelloRetryRequest (to a non PQ curve they do support).
> Hopefully this is just a server side problem and not a middlebox, but we
> can't tell that apart just yet.
>
> On Fri, Nov 28, 2025 at 5:45 PM John Mattsson <john.mattsson=
> 40ericsson.com@dmarc.ietf.org> wrote:
>
> I missed that Meta used ML-KEM-512 as an optimization. My interest was for
> middlebox traversal when connections using X25519MLKEM768 are dropped. In
> those cases, the fallback options are X25519 or ML-KEM-512. Today it could
> be argued that the risk of implementation bugs in ML-KEM is higher than the
> quantum threat to X25519, but that balance will shift in a few years. My
> interest in TLS is internal telecom networks, not the public Internet or
> enterprise environments.
>
> I hope I am wrong, but my expectation is that some middleboxes blocking
> X25519MLKEM768 will still be around in 2030–2035, when I would prefer to
> phase out standalone ECC.
>
> John
>
> *From: *Deirdre Connolly <durumcrustulum@gmail.com>
> *Date: *Friday, 28 November 2025 at 15:57
> *To: *John Mattsson <john.mattsson@ericsson.com>
> *Cc: *Stephen Farrell <stephen.farrell@cs.tcd.ie>, TLS@ietf.org <
> tls@ietf.org>
> *Subject: *Re: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends
> 2025-11-26)
>
> > Yes, Meta has a good article on the topic
>
> >
> https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/
>
> This is a good article— I want to highlight that Meta deployed
> Kyber/ML-KEM-512 only on their internal connections, and don't seem to have
> any plans to roll that out to their external connections. While -512 nicely
> fits existing infra, and I agree it should be available especially for IoT
> settings and internal deployments like Meta's, in general public internet
> settings it seems to be a a little riskier as a right-on-the-line parameter
> set for NIST Level 1 security than say -768, which has more headroom
> security-wise.
>
> On Fri, Nov 28, 2025, 2:17 AM John Mattsson <john.mattsson=
> 40ericsson.com@dmarc.ietf.org> wrote:
>
> Hi Stephen,
>
> >Do you know if anyone's written up a description of that?
>
> Yes, Meta has a good article on the topic
>
>
> https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/
> <https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/?utm_source=chatgpt.com>
>
> There has also been quite a lot written about middleboxes,
> load-balancers, and other software that assume the ClientHello always fits
> in a single packet. See e.g.,
>
> https://blog.cloudflare.com/pq-2025/
> https://www.ietf.org/archive/id/draft-reddy-uta-pqc-app-07.html
>
> Just looking at the key share sizes, it is quite easy to see that you can
> use ML-KEM-512 (800 bytes) and would have been able to fit X25519MLKEM512 (832
> bytes) and still fit ClientHello in a single packet. It is also quite
> easy to see that it for many PMTUs it is problematic to fit ML-KEM-768
> (1184 bytes) and X25519MLKEM768 (1216 bytes) in a single packet.
>
>
> https://datatracker.ietf.org/doc/draft-ietf-iotops-security-protocol-comparison/
> https://tls13.xargs.org/#client-hello
> https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf
>
> While it did argue for X25519MLKEM512 (and X448MLKEM1024) I did not
> understand at the time that I would have wanted X25519MLKEM512 for
> middlebox traversal. Then I would have argued harder for X25519MLKEM512.
>
> The current situation is that OpenSSL 3.5 LTS has shipped with
> X25519MLKEM768, ML-KEM-512, ML-KEM-768, and ML-KEM-1024 and even if TLS WG
> standardise X25519MLKEM512 now, it will take several more years until it
> would be added to a OpenSSL LTS, which a lot of infrastructure is based on.
> That would make it hard to meet 2030 deadlines for PQC migration but would
> meet 2035 deadlines. I can live with ML-KEM-512 for middle box traversal,
> but if TLS WG does not publish ML-KEM-512, I would suggest that
> X25519MLKEM512 is added to draft-ietf-tls-ecdhe-mlkem.
>
> (Regarding misbehaving servers, if they don’t handle fragmented
> ClientHello they likely don’t support ML-KEM anyway and you need to retry
> with standalone X25519. Middleboxes and load-balancers is the big problem)
>
> Cheers,
> John
>
> On 2025-11-27, 20:43, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote:
>
>
> Hi John,
>
> On 27/11/2025 16:02, John Mattsson wrote:
> > - ML-KEM-512 is the only adopted quantum-resistant algorithm that
> > can be used to bypass legacy middle boxes.
>
> Do you know if anyone's written up a description of that?
>
> Thanks,
> S.
>
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
>

v2.37.1 | Report a Bug | By Email | System Status