[TLS] Re: RFCs on weakened crypto are not fixed by warnings
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 09 April 2026 03:23 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 90D08D87ACC8 for <tls@mail2.ietf.org>; Wed, 8 Apr 2026 20:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775705000; bh=iOBXZrfL1hf0LQ49VBtL/0Ra0HrXkiAJWn37IUdmppo=; h=Date:From:To:Subject:Reply-To:References:In-Reply-To; b=UJN/WdhqodxZk26gPGnHhrnqdbatKgY3C75SCM2Z0mbo4F1XyzsjFrBbroFlfLGnR ax6v9nXYZDs83rfzOiEICNT5Yt5pQJ0lDw0TlKsJnP3R+Skqext1BIul82UqP2zEyw /Ywc4vt7WL/Wrccx7ZP8vUb2j6F2/WQLGLdgh2i4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4YkC5bK-a2U for <tls@mail2.ietf.org>; Wed, 8 Apr 2026 20:23:19 -0700 (PDT)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4F282D87ACBC for <tls@ietf.org>; Wed, 8 Apr 2026 20:23:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1775704996; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : content-transfer-encoding : from; bh=iOBXZrfL1hf0LQ49VBtL/0Ra0HrXkiAJWn37IUdmppo=; b=G1NT7//VksKTL56ulVSqeywvfd7a7V+PzilZpNkHvFvkW8j9NH2gMoXipz2IxaOEgW7Aw r3Lj2E5lmtKS/L+i0v8Tfu+TSqPpihbbDUz7hvUUV14qx1kI6MBnpx+a/Q+S5HwnyUuHui+ o/i5RZbTJueicbErthXIslDVFbxOmfI=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 14B68937704; Thu, 09 Apr 2026 13:23:16 +1000 (AEST)
Date: Thu, 09 Apr 2026 13:23:15 +1000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <adcboxzT5908kaIK@chardros.imrryr.org>
References: <ada2BSdJ5MwIWDWs@chardros.imrryr.org> <20260408213019.934268.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20260408213019.934268.qmail@cr.yp.to>
Mail-Followup-To: <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: OOJNBCPKZAPIPAWCA3WD7MP4BUTWNJNH
X-Message-ID-Hash: OOJNBCPKZAPIPAWCA3WD7MP4BUTWNJNH
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tls@ietf.org
Subject: [TLS] Re: RFCs on weakened crypto are not fixed by warnings
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IOraSxPeNNgYdeFJQU10Fqz5LpE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Wed, Apr 08, 2026 at 09:30:19PM -0000, D. J. Bernstein wrote:
> I explained that every WG-issued RFC has a prominent claim of IETF
> "consensus", and that people will interpret the RFC as IETF endorsement,
> no matter how many warnings there are inside the RFC. Are you disputing
> this?
Yes, in the sense that "endorsement" isn't the point of the exercise as
I see it. It is rather a narrower question of converging on *how*, not
whether to implement ML-KEM key exchange interoperably in TLS. The how
can be accompanied by security considerations that highlight reasons to
consider hybrids instead.
Actual *endorsement* comes in the form of a "Recommended=Y" flag in the
IANA registry, specifically designed to make it possible to distinguish
between publishing a stable specification and actual "endorsement".
Your objections do not appear to be directed at the "how", and the goal
of preventing the "whether", through delays or non-publication seems to
me to be unrealistic.
> Or are you saying that IETF endorsement wouldn't tend to increase usage
> of non-hybrid PQ? Or are you disputing CECPQ2b as an example of ECC+PQ
> providing more protection than non-hybrid PQ?
I don't see specification of TLS with pure ML-KEM as IETF "endorsement".
The endorsement of ML-KEM comes from NIST. The IETF TLS WG, as stewards
of the protocol (but not the protocol police), can now decide whether to
publish a specification describing how FIPS-203 might be used in TLS, as
one of the supported key exchange mechanisms.
> My understanding of your argument here---please correct me if I've
> misunderstood---is as follows: people saying (e.g.) "Don't use this"
> shouldn't be opposing publication as an RFC, but instead should be
> supporting publication as an RFC as an opportunity to include a "Don't
> use this" warning inside that RFC.
Well, I would say "consider the risks, which are as follows... when in
doubt, use an ECC+PQC hybrid", which is of coursedifferent from "Don't
use", I view "Don't use" as quixotic, those who, despite advice to the
contrary, see the risks differently, will use non-hybrid key exchange.
> But publishing a new problematic RFC along with a "Don't use this"
> warning is strictly worse than rejecting the RFC and publishing a
> separate "Don't use this" document, just like previous IETF documents
> deprecating various other problematic cryptographic choices.
That's where we part ways, I support making a case for prudent use of a
hybrid, but I don't see the proposed specification as "problematic", or
non-publication as an effective way to get implementations to avoid the
use of non-hybrids.
--
Viktor. 🇺🇦 Слава Україні!
- [TLS] RFCs on weakened crypto are not fixed by wa… D. J. Bernstein
- [TLS] Re: RFCs on weakened crypto are not fixed b… Viktor Dukhovni
- [TLS] Re: RFCs on weakened crypto are not fixed b… D. J. Bernstein
- [TLS] Re: RFCs on weakened crypto are not fixed b… Viktor Dukhovni
- [TLS] Re: RFCs on weakened crypto are not fixed b… Muhammad Usama Sardar
- [TLS] Re: RFCs on weakened crypto are not fixed b… Peter Gutmann
- [TLS] Re: RFCs on weakened crypto are not fixed b… Bas Westerbaan
- [TLS] Re: RFCs on weakened crypto are not fixed b… Peter Gutmann