IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

richard@zotrus.com Thu, 27 November 2025 00:42 UTC

Return-Path: <richard@zotrus.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EADF49171F1E; Wed, 26 Nov 2025 16:42:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7FMWQOUIw5B; Wed, 26 Nov 2025 16:42:34 -0800 (PST)
Received: from out28-1.mail.aliyun.com (out28-1.mail.aliyun.com [115.124.28.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 378969171F17; Wed, 26 Nov 2025 16:42:32 -0800 (PST)
Received: from ztrw(mailfrom:richard@zotrus.com fp:SMTPD_---.fWo-UlH_1764204148 cluster:ay29) by smtp.aliyun-inc.com; Thu, 27 Nov 2025 08:42:28 +0800
From: richard@zotrus.com
To: 'Eric Rescorla' <ekr@rtfm.com>, 'Muhammad Usama Sardar' <muhammad_usama.sardar@tu-dresden.de>
References: <20251126185919.362611.qmail@cr.yp.to> <9ce12b8e-9982-4194-987d-d2ca3a41ea48@tu-dresden.de> <CABcZeBOffkV9eUtpdPp8eWB_eMA1c6-GOMHoZcDs93cGm1kwfw@mail.gmail.com> <10352a8e-c3d5-457e-854d-e72e31fca2d2@tu-dresden.de> <CABcZeBPzabtzCs=zLncyjFy=JHWXzpPb6haN5iFA6=3orXTU2Q@mail.gmail.com> <91f28ee1-5408-417e-868d-bd5af47bd773@tu-dresden.de> <CABcZeBPopk4jSXjwWaX_bPdcgvj6f6wPxTc7+300YmZnLGf36A@mail.gmail.com> <b2593b36-4d8c-431c-ab79-a2dcf94dfe79@tu-dresden.de> <CABcZeBPV8n9AAaJB_r+cuXN3sxKRYN1u_GrZxkQoix_aegRkiA@mail.gmail.com>
In-Reply-To: <CABcZeBPV8n9AAaJB_r+cuXN3sxKRYN1u_GrZxkQoix_aegRkiA@mail.gmail.com>
Date: Thu, 27 Nov 2025 08:42:27 +0800
Message-ID: <00e901dc5f36$b52b78b0$1f826a10$@zotrus.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00EA_01DC5F79.C34FA310"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFtM57mKsrUiRKIMHqw3x3TJdjQPgDWe6XjAYK2nY4Bfph35wEKkKhiA0qVi/kB+HIUdQIskGucAddE6Wu1crqbcA==
Content-Language: zh-cn
Message-ID-Hash: 6YX6H6MQKYMX65ZFCIBUX3M4ZII72JRF
X-Message-ID-Hash: 6YX6H6MQKYMX65ZFCIBUX3M4ZII72JRF
X-MailFrom: richard@zotrus.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/I-HGLsbgwPujs_PsZl-Pc42rSS8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

To achieve maximum compatibility, ZT Browser’s algorithm priority order is Pure PQC algorithm like MLKEM/MLDSA first, then hybrid PQC like X25519MLKEM or SM2MLKEM, third is traditional algorithm like ECC P256, X25519, SM2, RSA.

 

Best Regards



Richard Wang

 

From: Eric Rescorla <ekr@rtfm.com> 
Sent: Thursday, November 27, 2025 8:17 AM
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Cc: draft-ietf-tls-mlkem@ietf.org; tls-chairs@ietf.org; tls@ietf.org
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

 

 

I think it's important to separate a number of points here.

First, the requirement is not that implementations *use* P-256 but
rather that they implement it. For example, until recently, browsers
typically supported both P-256 and X25519, but most Web connections
negotiated X25519. This is totally RFC 8446 compliant. What wouldn't
be compliant is if you supported *just* X25519. Browsers now generally
support P-256, X25519, and MLKEM+X25519 (as well as potentially some
other groups). This is also compliant. For the same reason if if you
have an implementation which supports P-256, X25519, MLKEM+X25519, and
pure MLKEM, that's also compliant, because it still supports P-256.

What's *not* compliant is if you have an implementation which doesn't
support P-256, no matter what other groups it supports.  This includes
both non-P-256 EC groups such as X25519, pure PQ groups like MLKEM, or
even hybrid groups like MLKEM+P-256. I recognize that that last
example may be counterintuitive, but it's important to remember that
the point of the MTI is to ensure that there is an interoperable
algorithm, and an implementation which supports only P-256 can't
interoperate with an implementation which supports only MLKEM+P-256.


-Ekr

 

 

On Wed, Nov 26, 2025 at 3:50 PM Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de <mailto:muhammad_usama.sardar@tu-dresden.de> > wrote:

On 26.11.25 22:35, Eric Rescorla wrote:

On Wed, Nov 26, 2025 at 1:17 PM Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de <mailto:muhammad_usama.sardar@tu-dresden.de> > wrote: 

I think the draft should have a statement somewhere stating that it is no longer compliant with the base TLS specs, with pointer to section 9.1 of RFC 8446bis.

I don't think that's correct. 

Yeah, sorry, as mentioned in the thread, please take my comments with a large grain of salt, since I haven't yet worked with PQ. I am most likely missing something from implementation perspective, from PQ perspective, from terminology perspective or interpretation of terms. So please feel free to ignore.

My general feedback for this draft was that since it is the first draft on pure PQ that we have, I would have expected it to give a much better introduction and motivation than a couple of sentences that basically tell me nothing about why this draft even exists. For example, "users that want ..." is too generic of a motivation that would apply to almost any draft of the IETF. Specifically, I would like to know more about those users to be able to reach out to them to ask whether they also want attestation. If motivation comes from compliance, I would like to read those regulations to understand whether these regulations also require attestation. And if the answer to any of those is yes, then check out whether these users have any preference about intra-handshake attestation vs. post-handshake attestation, etc.

An implementation could choose to implement just the new algorithm and

not the MTI algorithm(s) in the same class, in which case the implementation

would be noncompliant, but it's possible to be noncompliant based purely

on the algorithms registered in RFC 8446, for instance by implementing

just P-384 and not P-256.

Sure, but I feel like there is a difference. In this case, the implementers choose not to implement P-256 while still having the possibility, whereas in pure PQ, implementers have no possibility to support P-256. Isn't it?

That is, I don't understand how pure PQ can support P-256. So my point was that implementations which have pure PQ cannot be "TLS-compliant applications", as per section 9.1 of 8446bis. 

-Usama

v2.37.1 | Report a Bug | By Email | System Status