IETF Logo Mail Archive

[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

John Mattsson <john.mattsson@ericsson.com> Wed, 08 October 2025 04:57 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2BAE36F2357B for <tls@mail2.ietf.org>; Tue, 7 Oct 2025 21:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsnKoxfN1XL4 for <tls@mail2.ietf.org>; Tue, 7 Oct 2025 21:57:03 -0700 (PDT)
Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazon11013032.outbound.protection.outlook.com [40.107.162.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B83786F23574 for <tls@ietf.org>; Tue, 7 Oct 2025 21:57:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=MT4sJBGsSVgwmxLDDWoT2qWMWRmbf6tFbNbirIBMVFD/pz279CRqnLyIvdTQHJsCOCf+gx7lBYyVGUjw1ruaIAMb3tHL1lX5IPhfkxLUlDjX6fHQEqxALxYYFGyhKmdU8LW0i1c6wBduLuh1SUOTVBq1Fo9GBCn27ZU3Ji/IXM5ZtErJr3PUFOhyYplSOv6jDDh7wcuOBqRFrm2C21eMsf1Vbs7WjK4re3D3OlHeKTFuCzpsVBO8YNwGYOgGFHT1Fm2hibU9Vi+ZI8MjZxP18MnPgwOa6NM/7Q8KbBdWVLXLN4d03WONFh3eLGgJD++rINcWojSEJ/lsmMpwYkpKGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CHCc3xFbDzBfyGcJEqxk7DJuNBjO7lAfDvQeQR7MHVE=; b=VJMEUVpsbgLCf5yymYwq7H+WAgU0vVC0uh+E2bOgll49yraqoLBkRM2swj4/V388kPMhBk0KKmQYha86T0kYuZXJ9hKoK3O94/0dQY21ulurP+lBUvvjd2afF0te16SC1jK/R/CX0Y5JHdBlOU7jkeYvMypEU809xv7PtXi3VJuRDwE02mOQE9S+zFtiBth2Wv1+fHevt4f802YexjOsF3jmXtAxSlKA3lBXln7vPdLkYQPHVlG5cKRvKIfPn31Rq3K+++veI2GYPu2JqBgefcyRT7LgHy9z49zTtUbC5V7mHjn2DQck0sQtp42S53Jw4vTclaeJvafL9wV4ttVUlA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CHCc3xFbDzBfyGcJEqxk7DJuNBjO7lAfDvQeQR7MHVE=; b=CkYSmD3ly5dc+SNFoQwzjMVPe7CUQdCOOAGYigNxPc/8YqHej22BwMCzh5lVOqMEVzET54DkjN2vJoV8gCbzqCdP6Zxf/WmCsG91zVqbS48HqVc7p4GidqqCjWcQYlsnX0ZFMSNwGkRkytNjlFjsKGMVh7j05KDVcJgictSMqTuE6F5d/Bxb8R96jyAAWrQE04jHVp5sCMCTgdsu5C0wiZ6IaQDlPJsA/7ceA09PZsBzHkEGGavKifzC6qfzoEL+2Z80w2RTPgXHRVyS8EE2C8DFDzVziV7l2rdLUQR1MQJpFeSOO9bd+Ois24+H+67zD5DrHWhNHAfDxYlVsBdprQ==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PAWPR07MB11133.eurprd07.prod.outlook.com (2603:10a6:102:50c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9182.18; Wed, 8 Oct 2025 04:56:55 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%3]) with mapi id 15.20.9182.017; Wed, 8 Oct 2025 04:56:54 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Joseph Salowey <joe@salowey.net>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Thread-Index: AQHcOAug0hYJHWm1Ik+iO4jM2rh79A==
Date: Wed, 08 Oct 2025 04:56:54 +0000
Message-ID: <GVXPR07MB96785BB4999AA2900214CC3B89E1A@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PAWPR07MB11133:EE_
x-ms-office365-filtering-correlation-id: 6c5bd166-3faa-4dad-d27d-08de06271a5e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|8096899003|13003099007|38070700021|7053199007;
x-microsoft-antispam-message-info: e6FvM6+euz+pp/PBsQcQZO5nL7GHpUlS0YJPoYPM7nzrd8rYON1PYD+J2KAkiF+8DZtoh4lS2ItGjA8Hfc94CtoBH6jffzkxUo8IShlm3qF5/t+ABXLi1DahdoqGMILiJumfKwpLmn4/RubLEgdMyl84r9aMklzW0vvO7ZdsR4iAdKfxRdE2PPUdh+QefAlZOUPuBu9rvH5UW8XnA+F5NakfpdP5ciSR5xRlMpOSejW3pan7QpD8LEJyNvCPaJAOyXM/ohcKqopodBT+co+jGxdL+kaZR+04bBJ/FV+kOMxJ7bByL3hiJN6bh/86OBSV6AxwpLS/7eQhmidzk7PxplAi09M9h91Z5MDrGQJX2PMqz+rEq9B8qb8Bql+OZEmc+03DwqgPu2eRT8RtwSTN13UGWt/OfTmx/WgDyrNtB3kaQG6kBKphI74g/pPAH6s6PGoKqfgj3tjo8GAOzUlVnK9RRUogySdNoj3QjPDeBUChdaXvfylngUB5rFDbqAEtGMeJshRHiNKsdIYhPtrsAcfQVtL3HCiAAoQ78vrsayk8e7R9zXv2sUMVLh2Q/P2EF7B5MdLsZJQxfI38KrCRwpPCK+sRQn/oLuCTVtUzAQQzbAYpGTDrSW7zZdz+jiBqJVGYlg/PcuDaRlelvs/1H9/UQc6lxhan2ejeKzyvivwrgUr7uf3D5RkMsWLEIqeQ74m4JYt6amEyxm4Zl14lP/D27qmgETW562CFJRv8BausJjdt74/0RhrYHxVMeHxv+l81ZSQnJpXrt3waZ5Qu0CVJN+mlvPjIWKMy81fGnDRGS4P68gJ77D+ZOCpwk/98DwLKZvSvmaloSWTP13Fk50QVlRiohpd1CV/s+FHZfzTrP+m5Cug+Dhf+l+wLH6waY7HTAvwnRS8rtN8sP+dREBKFnJIETJv1XTQQ6yfv0T9FnODM+07BPAG7Q/fB+xyYVoGABlGgn5xm944WOj3DWJXjifC8OzzeSwPySjV9VoFRumQrud3BA0qFT9pP2rkBRUtE3BdAc/fsKP9DMil3f1kCJ6bFYKTQSS2guIthDatN2jU6WUiunGigbPbT8aNmq29blmJgfLv7yfVUB2/PAPtdxlJ3snd7SD8xyPJpz4PTFMJ6LPFaMgxfFWiRUk4ahgmG2bB5xoMPELxXJdwZFTs8JBsnBCyIpNYs9Ej3SviOEzvyAIR68r+pxUPxfcgu13dmSzr7956K2m5NQtiHz39PhsP62Q4e4qbairWP6H0DTsYA00fbOuE1l4Kih9RIZPGPq6W1BolwkaWtHN9SeApooCK7eBkpQY17lo+AJDxrY9e1AXk5xOx0q9viQOUUl4gtpmqnPNRPljttgeGl9804pI6P7wZXczfE83q4dOHi96GSVAa0w2Sae9UXlXB+i5KwDMTOoyYSkVDqCz4bB5kE/xfTv5dSmzMaSv7zQ8PF5WhSwGMkXJyWfWocjZ28RFn9qX/b6Ht6fBQ+RNd2GA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(8096899003)(13003099007)(38070700021)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: P0hStgWQS/xfHd/V3pPXAoDuCh7MX22D6RacmLU28MbzvkO/xNnL77SwlLo7YL2C5yJrbm/VhW9DzL8qgPHRYp/jFebBJ+u0VwxBTwzDL6LEAAf2NWX7dEa/KaaSeKGW5gIT4uClBg9miUFlFpRueBT1/f02HuXh4OtkMqlNeu9ZQA7/MSEI73XM+hLRXd3Tnzk/LOujv1GzDXuXPMzjMKU7wXWaAr/xsfoA06617LYAsFWbDmLBi3HegqF/M7tbb4GmiKO8afmVkLe4pjkGODmJBT+sV887CcnRhRwH9old1JEP0zBZoQ9BqPdy5DjAMUhOdqSt8AHjzmHuWWyv11ltMPobrkThBdYjQAFRXoTKyjtBrdlsg47UKrVm+LMR+Wn2wANpwEgSRwehpnLmSWVirV7d1d+L9rft2Oi4ZujOAx1zOz1XmkJz4i7lJbeAjqUUBZJQffnZBUMMMRrdi40VXZN3zQx6jGXuKA4WkazsUdB8NHYAtR1vxsVwUi2hVdD3NZQP7+u7b0kTcQzD+Hk2Cjso/wDx5dLhzLy1bl5agx8o8G9DT2VywXAh0TVFD53XBVa6EusoX7+7nQ6FeKFklDXEesUx0D4zpGnFhb23y8GjGtspj6MS0ueKWp8YMJh/pyF6eFPHivWU0r0mZPq7Xsw7pCC+eQnOde3R+VmwveU2HjC0XZnVMQI+UnTD2YuOo3JosI7MORlcke1jSU085sVWBXAGgsoR+C0jP87dpmJugAt8mToPPkOZy8GbL0EFNuFkme4cfneYVy2EQ/QqHNzL23FeYYTpy8dx7HSClgZH1vtYipJTKcwIdAHQ4HYKkSigRwcyOXuqkcMiKdg0RMrx69Uc1MkdCf/4VCnZnKTtTE89IcUEHQ+IaqVR5cSJtkruYA2yxGbg3oB51kMSppZ1OHXQu0jekjjzRLfUAhiR7hSqJ8J1W0f3/C862kyPjMqZLz6jopEB4cb+ZgLp9H7+PCJ1b9QaphfsmDAZETr4nKVaomoSmvAXJLqvwMXi8dvw2HnUVyKEi0JUKpVlXqmFHK4Q5ILEaGTkduZkiJfLQpi2FZEOkLtrF0mqZzemx2J4qR4yV0O+ehaaGQSyPWXryIXOV5aGqHryW2+yzYwSWAFqcxZRJ+xale3g8GjsGKh8YAKkbB3e35qFBa7+TtR6LoVUvzQDp+PT46BJ21OAbKPrJzGzWbqSULaJ2oVt25G+ecMe/YvEhzaAF4Qpyi65gP6PFLlCj2mTDTsRJF2G8Ceg8TMyp01q51W7nds3nK/AUXvTozsBZI2JklkViiFT9Of3OV/Li/+GP3JUkZedYux0R2fCUt8G0ef9j+cwWvJhvaDYwUC6VqgjiA51GLBwA2xyNRVYSJvlCgQBcf1pLwKOTcttYkBbLGNhm69mRwgoeztM6B1kO4hCnTbkA1X6s80KROw80pHGd+U8F6qtEluHfLDVoBqx/yVBGchSqbEmOulzl9dGMk4W/R9cRzjyh8a+VQBBhiQjnubpmGPgHgHQ4ZHCRzXI9WOsYHzttG7lsKGkxqgL3Nd58/ARU7V4pEZnvmm3DVl2BTJZkjaBAyGhgyual5CZgYfjLUhseuaUfgU6AmQdwfGgrkXemIJomyKuSCOMNYAlu+U=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96785BB4999AA2900214CC3B89E1AGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6c5bd166-3faa-4dad-d27d-08de06271a5e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2025 04:56:54.9032 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bTb//iZXySdgxBFoYqRnEHhX8Kb91CQYKgW4hcArNk2BrAj+MnWwQxZFfQ3kHiVo7FzTqmmo6UkbwCyHKZvLWnZ7CRPNqKEWKzUJRW3kdDI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB11133
Message-ID-Hash: JHXCP427DU53BCYZJN65R53XWE6R4SEA
X-Message-ID-Hash: JHXCP427DU53BCYZJN65R53XWE6R4SEA
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JQRoSAYxzV1NQrdQfWpj3R9w_SA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi,

- NIST has recently released SP 800-227 Recommendations for Key-Encapsulation Mechanisms, which "makes some requirements and recommendations for implementing and using KEMs in FIPS 140-validated cryptographic modules.". FIPS 203 already references SP 800-227 and states that: "For general definitions and properties of KEMs, including requirements for the secure use of KEMs in applications, see SP 800-227". TLS is one such application.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-227.pdf

The draft should explicitly reference SP 800-227 and state that the requirements in SP 800-227 shall be followed. I don't think anyone wants standards or implementations violating NIST requirements. FIPS 203 and SP 800-227 should be viewed together.

- "This group supports use cases that require both shared secrets to be generated by FIPS-approved mechanisms."
"that require FIPS-approved mechanisms"

I think these sentences should be removed from the introduction. They give the reader the impression that X25519MLKEM768 is not FIPS-approved, which is incorrect.

- "while ML-KEM is considered next-generation"

[hybrid] defines next-generation as algorithms as "Algorithms that are not yet widely deployed". This clearly no longer describes ML-KEM in October 2025. Cloudflare Radar has periodically reported 50% ML-KEM adoption, dominated by X25519MLKEM768, with limited X25519Kyber768Draft00.
https://radar.cloudflare.com/adoption-and-usage#post-quantum-encryption

Cheers,
John Preuß Mattsson

From: Joseph Salowey <joe@salowey.net>
Date: Tuesday, 7 October 2025 at 15:46
To: <tls@ietf.org>
Subject: [TLS] Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
This is the working group last call for Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3. Please review draft-ietf-tls-ecdhe-mlkem [1] and reply to this thread indicating if you think it is ready for publication or not.  If you do not think it is ready please indicate why.  This call will end on October 22, 2025.

Please note that during the WG adoption call, Dan Bernstein pointed out some potential IPR (see [2]), but no IPR disclosure has been made in accordance with BCP 79.  Additional information is provided here; see [3].

BCP 79 makes this important point:

 (b) The IETF, following normal processes, can decide to use
   technology for which IPR disclosures have been made if it decides
   that such a use is warranted.

WG members can take this information into account during the working group last call.

Reminder:  This working group last call has nothing to do with picking the mandatory-to-implement cipher suites in TLS.

Cheers,
Joe & Sean

[1] https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
[2] https://mailarchive.ietf.org/arch/msg/tls/mt4_p95NZv8duZIJvJPdZV90-ZU/
[3] https://mailarchive.ietf.org/arch/msg/spasm/GKFhHfBeCgf8hQQvhUcyOJ6M-kI/

v2.35.0 | Report a Bug | By Email | System Status