IETF Logo Mail Archive

[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

Yaakov Stein <ystein@allot.com> Wed, 22 October 2025 11:46 UTC

Return-Path: <ystein@allot.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A0A837A4187B for <tls@mail2.ietf.org>; Wed, 22 Oct 2025 04:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=allot.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvHtWrDAf0J0 for <tls@mail2.ietf.org>; Wed, 22 Oct 2025 04:46:34 -0700 (PDT)
Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazon11023097.outbound.protection.outlook.com [52.101.72.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8C1C57A41876 for <tls@ietf.org>; Wed, 22 Oct 2025 04:46:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=npd2RVRVyVXf33eqO5C8zbT/6yLQrhT7j8dizy1J9qiBzYAZlIb61gcBkMNg7Gw61PtIIo1li83JJ1QoDxy9AVZwqlsaTG2wBtMkY0ksInCP5T76NxLPlt6ul+c3doCAPdGItaLalLHp4GnuYRe+tYJqH7XM31kzJ+g9OJ4ipJPNmBhw2OkEJozh97r/VfuBzAeSknehnY8WGucsdjVkYZk4rI3NlHtXOmONz4T1q5Y4i+jU3tnUDgsmPzXr1463rO7qmRxZ90vyhlXd21bw0sEJLO6HyOY0ID55i/YL/b3nXsztCdY0/0pjcZ031l6qD6lxT+w5BaHiNvi05h1cJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1Yc33noFeyAn69RVre7U7hOnHRWAbSzce2WXkIFxkmg=; b=Y9vIaWoZ/EQfTxeUHwJv35Tn945w0MzeSocIR+Wnp4vgF8Kx4SHGooSnblI/g6j9dGU8gDxD8BAdl3V+/+opG8ANr2nL/GEtH0OKMLB5DvO1frD8Z2hera5SpmBgH0WtkLStcXpRokXJrnYP2rYwAQXU53udhYm97sZ/WZgQp5GsGmmrdQPxMWvez36MtQ3QcocVtfYfvUIA1juMqK5YQBCpNO4zs+g3hyRA/159nDG6mGEXP4/+FY69PsfQ9fEgnCcMlSCaAYL9Zn2rpA+3dH78uZRM2PRS2gX7B1+MhNIJHMVgtm57947laN5OXBg6ALdSzWeM6Jl7M2L2lHDkyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=allot.com; dmarc=pass action=none header.from=allot.com; dkim=pass header.d=allot.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allot.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1Yc33noFeyAn69RVre7U7hOnHRWAbSzce2WXkIFxkmg=; b=fAcBNjGx2eL96+/SixySQsKf+qqo3MAQXbT6XWjhUxL2nrpRYN+IMGRySd9os+eCvgfHJKpo/S2uCoUj4hk6GlLojX+6qdf94XBIIWJseWIfmk2jLm4wgDNWcRDJl3xJt+ix7hsIRU1Qg9gEUbCADrvPL+ELAro8kNg7RSuJj5Y=
Received: from PA6PR08MB10707.eurprd08.prod.outlook.com (2603:10a6:102:3cb::5) by DB9PR08MB7772.eurprd08.prod.outlook.com (2603:10a6:10:398::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.12; Wed, 22 Oct 2025 11:46:25 +0000
Received: from PA6PR08MB10707.eurprd08.prod.outlook.com ([fe80::ff02:9799:b729:ae6a]) by PA6PR08MB10707.eurprd08.prod.outlook.com ([fe80::ff02:9799:b729:ae6a%4]) with mapi id 15.20.9253.011; Wed, 22 Oct 2025 11:46:25 +0000
From: Yaakov Stein <ystein@allot.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Thread-Index: AQHcQ0l+kbP5GE1mwUutc6VVPZ68ig==
Date: Wed, 22 Oct 2025 11:46:25 +0000
Message-ID: <PA6PR08MB107078B4DC55CFF909F5A918DD3F3A@PA6PR08MB10707.eurprd08.prod.outlook.com>
References: <CAOgPGoA+c8kXDizwsvFG5tLz9+Kxk0HqiN1skKp5jMvvpxeu0Q@mail.gmail.com> <CABcZeBO+3u=1=ueNscq+O74Qv=7PC5NedsGsugp=GZjVqtODoQ@mail.gmail.com>
In-Reply-To: <CABcZeBO+3u=1=ueNscq+O74Qv=7PC5NedsGsugp=GZjVqtODoQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=allot.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PA6PR08MB10707:EE_|DB9PR08MB7772:EE_
x-ms-office365-filtering-correlation-id: 328c0702-cbb7-4ca3-3d4b-08de1160a172
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700021;
x-microsoft-antispam-message-info: 56+NMW/cfNmiL4KP6dFlMeEQiqVPji4DakQG+QldR1cV3zVfFAsy8eCoLm308571gBvgG0mtm/9/ZcgTniAzXcRYPChvLH/WGn60tw/r69nE1ml4GwDlyCFpNx+2QfZxCWpzRbYI3Ac7tuB/uky2NpzQY5KZTxdWZTO51st56UBTxTupt+xasuGsdCodPkpgQLJDSt+h1duZGY2PxnhuaTPwiWN/h380WX1I6o6xpjPRV9YiB23+wM1VO0b0QBJi2IiR/gO/heamhMxhMykMEzb2micvQkIS8xBtcex10+NoVISyW7GiTOHA4A8TMQjkIJ8peFq2yhHYwjySWAJ95/FuM9+6xpbyufR8zYhe9fVkRovacfRphyRi2/foT4+dUuEM/2CnYJMbdi60siBRDFAVOq37LQmJ6qULLQX4imzOWuFM77hGRhaxTUxpBCBCGVxL4SjHSu5gxGmYlAE/jZLLq+/ysTkVoe5vetJ7fxhseNcXUDV7XjBMnYV1pOVUYxezHrtSfaa5oMo1Mi9E544jLh95rrrCFLHtbEwtkc0hB68WCGcOPkyvtSiWig4kRX6ZMy2s/1YoPflgLtBTRscEmXNMIKhksz5mX6BP88kdUTx93zkVWVNyBX+cqpXBDfaVY+AukV3L5qBYr11V01bXscep17wJCV/mcWXds68TN8d0WoPjhidSE5ADpalHhVlZtXwxjd2eHtEpZcgtfY9OaTskGJVw8hPWZohInvSPMwX92s+vOigmybS9iHHd7nctuWKfXnmApHz4Uejz3VW1Jz3T6AgflWDM1dhxRSfoB0K5V3xzeOT8gWYKu1nlLCd5uTbf8MrslxCTwqBCj4eOALzYJ8LUZSX0ENXxOrkTIMTOc7kJP7O+fbTHkUFOrmVdvDEEjjSwSOgoFu6C9Sn/nXDonPNpjs6c+l4X6ZMAVrqueNfwc3nwBKojREN25hqPfNr1RMeGElS1m1+a6gr9b32rynYKRDY6auqgi3w61IdCYWwy414Zik7qLpVJvGoOX6cGNT5IU/gtv5oCACOw6RHGq327AN/LZx5NEMLLtumTelM1G5I+f2m+UQ7kVDUdD+FP5ld0ugEsE8OT8jhwjxK7HzxkD3yzQccpmqwfYJKEWCTH0YqihiHv2sIZVFVen1UbZcJ667muG7vCnRm9Q+cYWuyVBFb6KV46K7Nz16hexL5jIIqgKdC9LgGtFz6PaPG6YlT2XY7Y1TXNGeswc4DgiyCww6kWvAhSjEOoPPQzkNkT3/2Id/DUaUxz6a/BAifpVARsCy6g1QaoK8Ddji/rT0o3kRyYL/5eHrimahNgyoA4N2ZNPkvh+Gd/jd+9SVTzcX0HObNolwZfACBvpWCQlz/kFa/tqdYPWloMA64eDArFVuXHsobG0aDjX+QKZSO6MORhi5Bu32SrynW9rNOgkiN6Pp7EWFdrnv+dwMVMAwd8/n8Wrd9zlS7t9DZrTVxz0Z3Rx7qmzntd3Wk1fFn2zz3sxLR140Sz9xDm7nSHEMslSKRAj7KO0kFj
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA6PR08MB10707.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700021);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mf6u2hrHfDzn/u2H5Oe7jaBewm0XwfhoODmvr0vqiKBQtFlvpcyg4WniEmB+jTS7s90HpxLwLkBUQr2ZnNI7rvWQhFJkuuXoyQCIcJrewyePqylIahf8DN6tLELkLWLJvriUgubKCMzE9cijkTXaG0ux3JDCKnl4PdMvBmHvSNY2J2QtMDxvpCivNfmbdmow2n4mUCjn527cDv7QXx34EUZOxTlaRL1BSlk41qI150rNrBVFLc/LOGo7p58MoDe7zZy4Zm0KYozAgoF/PmCCA6yQsdqrMrvgkZneow9pyP8OKUeYQ0U0TI6H52Y5+/oURFZoucsNjmLMmeBhdUf7j9TXAfC9Kj7lIHn+Ad5vR4Y1kXBxLCgs51N0eKVGAu9XA7Izqe49djJ5zuR8O2t2WRYlcJbP+kBDU44KcM3sPH2y06aEVtywy0bnBMDk2Rw6Jzk5PpUSj0MTIRrswkUjtdPwZIT94eyCG89D8ZFRDo15vIyV2tU9Tls4MmDsG+xL55oG0OR6gCD4Mqw23BB/MHPGsSzJ5iAAVfoy/edNWIDQflUfIhkTKDHUHLcolirKwYqgXVIIiBogAULlZKv2PVhBs6/PIDp8G9C45HF6ArAMxtoE+YPKzJlQuYraIijX2bMdbI6owQV1qxg4QGgE4I+SzwQrh+zgvwUbwfAf1yNireLiP3+FfRyIe7Q6XcZUnB0RnbUv9KFhsB11X8pmsXqZGWiwpTfDE12NsioQwElL38gVtej5hmaAdf5Yk3szZkcp8whRnlZm4I0G2iSvlTvgq6vXNAUyRKHUFMXTgrMbNacI5W6svq1TScD47du8MdZO6jzqMghi7zJSGIzRDNQBthFyb9noJa5VvJbisNVkt65lHv4SoeVbhEN0smMMwjcon+WUhDzOuTiCJYYzXGcRhozdji76KsAZq6VNNFSUljG825Sah3ZXH7zXMOl1XICKEXyPyoJ8Sodm3Q+G2vZHJ1R+Qg2YhSwkI5F9KOSQzYe85U7emhmS6jPg4SMQFfpt+MWznNhjJTwvMsQ48Kj/0aUSs5SoARRRd7ft6deegHvvA87htrT1D2aR9lkZPcGwMYHU/2HQst31rmqUHa8dndM4hDLu2MbtcI3BAcwd6iKRvV9KrrG+4sAS13Y/TvhH7+6NmGn6+c9pIcRJRGrC8t9dq+ow1BT/snKy+njbIjGhSNcIosC0P2+marNUllVLszTunMRwPp8SjqhTyxistDo3UTE6mu2hzHphkyboEZv2E9FiejAPO23yMGNB+blfS5xTw9s0HsGaYnkqDct+aToPlt1ktZtRp4I4hgfc+lYg44FPsTgunYNR4dscjuR7+u/qwqzCcc4Ika04YqCUGCpLS8AHlO3Ut1gt6vkwtFRof7R5v3aSEUj7sPktdSxp09T0jbVxqbz6zX+pOpXs67tr1nKzseiGx+599SIA/T6wt8yy9znWA+LtJEaLZp5fTdMaWinI66int427NtiivVCuRkbqcJTnwvy/eoa50h5xVWrVH5nMfvpoGDhaFYLz/xCZVTILqOE+idDRdbQ5phr3AVpcJu2r4yt3HtQ=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: allot.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PA6PR08MB10707.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 328c0702-cbb7-4ca3-3d4b-08de1160a172
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Oct 2025 11:46:25.6188 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 789e5ff8-0396-414e-803b-13a424e9f5d2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bi65kZJyjbzD0+E0jgleaoN687y0tiYm8XbWKM5AiJmriouDjiUwBatLTUD53w3tkmpCQtQgl+Asz8eFOvcCjA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR08MB7772
Message-ID-Hash: LLTXES4VKTTMHTX6XHJ7IKYEX4CFFMAI
X-Message-ID-Hash: LLTXES4VKTTMHTX6XHJ7IKYEX4CFFMAI
X-MailFrom: ystein@allot.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IXwHCjhiV_A4WiUcUHW6tUOp0A0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Regarding which hybrid option should be marked by IANA as Recommended - I did some checking.

Using a browser that prefers X25519MLKEM768 I actively probed some of the most popular services (admittedly from a single location).

The following currently accept an X25519MLKEM768 offer :
* Google, Gmail, Youtube, gmaps
* Facebook, Instagram, Whatsapp
* Reddit
* X (Twitter)
* LinkedIn
* Amazon, AWS
* Yahoo
* DuckDuckGo
* Fortnite
* Cloudflare hosted services
* Akamai
* Fastly
* Temu
* ChatGPT
* Anthropic

while the following do NOT (yet?) accept it :
* Microsoft, Bin, Azure, MSN
* Wikipedia, Wikimedia
* Apple, iTunes, app-store
* Tiktok
* Netflix
* Roblox
* AliExpress
* eBay
* Pinterest
* Yandex, vk, ok, rbc and many other Russian sites

So, we have very widespread acceptance even without a Y in the R column.

Y(J)S

This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you.

v2.35.0 | Report a Bug | By Email | System Status