[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Eric Rescorla <ekr@rtfm.com> Tue, 07 October 2025 18:39 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 79E1F6ED78F6 for <tls@mail2.ietf.org>; Tue, 7 Oct 2025 11:39:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cffm5DAFYaB4 for <tls@mail2.ietf.org>; Tue, 7 Oct 2025 11:39:04 -0700 (PDT)
Received: from mail-yx1-xb12d.google.com (mail-yx1-xb12d.google.com [IPv6:2607:f8b0:4864:20::b12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C826A6ED78E4 for <tls@ietf.org>; Tue, 7 Oct 2025 11:39:04 -0700 (PDT)
Received: by mail-yx1-xb12d.google.com with SMTP id 956f58d0204a3-6360397e8c7so7651475d50.0 for <tls@ietf.org>; Tue, 07 Oct 2025 11:39:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1759862344; x=1760467144; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=iEOnfrfhlW2v4SKdcpU+sNsyJIDLI8R7tnmPkIWpn1Y=; b=BXXFZeVWm8YE0HRK5ML4Rd2VFAdQ8XevGoUPXsQqVIZU1HDtddt2GIFFeIIEYKw+3M myR8i9GWqdxqo9O1FkxdBn/QMVa7Z3RsI642o5VJxdelKM99tThjH4E6TSfiBzBci0SA /NM0utc8Qvn3hkFTfdA1fcOxx+gjQUJKPndLF0ehwXUftMvfc8KwX26bw1UyQe9WWtM5 4daQpukgqnk3aHWsU+iG8Jx3i0DWfnpjVKqc5VPdzcJpdirKI2btKeosSSnlGbW6OMZe SpwFuXQ4fjdq83ZqzLTmDTUK+f7qnFa1XAXznUqEeDa0cZc5KPbSORC6eiYbEiPeXVgL czbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759862344; x=1760467144; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iEOnfrfhlW2v4SKdcpU+sNsyJIDLI8R7tnmPkIWpn1Y=; b=lUa0ys2MfTmoNp0Bb+EHGRurETgFx4GZX2Gh/vWCERl71w3gnyncalr74yWmXqSbzz rG7bGsPC3S/YHff+pB6oDZnecfpGkAfeVIMFpBoQCFbqxMAv0o0v0+9lHv41DPpqIiRN 1no3KAkdFuvMgoVTaUyq0Zsc6PB4S5KkOBtL42One6hhcNC057MtF/ls/KPvGFBe100N 3LaT548XvTZPVb0PBlGgIvZF8jMDWicxCJ3zrMclcT7Ma77LSssdLbxhblJgAx0jCJeb L9p5i56x0lneQfQT67Yp6K9Rzn6B5dkz7+ImVxSv2UlEw6D8Ii7U5fG231KE+bEpriPy XGqA==
X-Gm-Message-State: AOJu0Yw7gkpCyGYyT0UDz3qfAXm1GMAsKI789VFwnlO2cmeZErM+n3ZJ 8Rzmk2xkJqYheE6pIsCrqFif9wU4XBeXdEnmr6NCMVPIKEd8JTIjRbYjwkJBI3rVel7KtK5OJmp iLWhNKfXhIPhHYnxqaLckL59CjL29PCTc9t5DXtHcVBjnZYriyiZ26rfSMg==
X-Gm-Gg: ASbGncuEg4ftnIel/NyVzBYxWoSDtkrkKzTHlTdtYraj2Ko4eAdePqfdUrdIefk/6qC N+abudDg5E/Z1aALpbjp8OaYvcJ+U9bWGzje6LUeKHWoN7fD5NX8eoF4rXN9LPtU5+txcteCMwB UQsuVPziu8yCt8eg8yQHhVTjKhmSQgP9I9ttAfJbeGCVvUvPJHEAchrysCD76LJJFkUe8lDzYCd hNklcI4XGhCUpdoJgwZj2t71zi0hq2IO4Pdhu3y17SBl5LaE9jIih8NjBlsqCqVhcqf4F9s/r0c WFZ9HDXBi2fA2BabkiJOjN4WBiBIjS+I8K0VndpPWnU=
X-Google-Smtp-Source: AGHT+IFDBmFuTFUSU3tE8GcuWx4MCwgyFgYrZRmDVSswELJ4tr444KDwthAAxzVdtjJOQA/8zL8tlOwjyHv1OEvfNtk=
X-Received: by 2002:a05:690e:edb:b0:633:a2e8:5489 with SMTP id 956f58d0204a3-63ccb8e0bb5mr603067d50.33.1759862344007; Tue, 07 Oct 2025 11:39:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoA+c8kXDizwsvFG5tLz9+Kxk0HqiN1skKp5jMvvpxeu0Q@mail.gmail.com> <CABcZeBO+3u=1=ueNscq+O74Qv=7PC5NedsGsugp=GZjVqtODoQ@mail.gmail.com> <CAMjbhoVcxTfppSrkC27F8uf9hKvqTDBsG_-dzGtWbjia5YhmXw@mail.gmail.com> <aOVWcf9JFllri-vG@netmeister.org> <87h5wapnqf.fsf@josefsson.org>
In-Reply-To: <87h5wapnqf.fsf@josefsson.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 07 Oct 2025 11:38:27 -0700
X-Gm-Features: AS18NWB9qoM1IMoR7oQfQaakVdukablUZ8ZpuAoLfx1EdyVZqBSwmLF3nr2KdHM
Message-ID: <CABcZeBNkfF125WE3vbWrAZ6zW2KgGFtAQKiC4=z9GmxoG99rQg@mail.gmail.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000de57b9064095e182"
Message-ID-Hash: 6ML7FLMWL5CRQLYKR4SP43Z4ETUBPOTZ
X-Message-ID-Hash: 6ML7FLMWL5CRQLYKR4SP43Z4ETUBPOTZ
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LMWucuzlc0sXFFObEOBpeJWzmjA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Tue, Oct 7, 2025 at 11:33 AM Simon Josefsson <simon= 40josefsson.org@dmarc.ietf.org> wrote: > The discussion below suggests to me that X25519MLKEM768 is the running > code de-facto algorithm that ought to be on the Standards Track and > Recommended=Y and the other variants should be split off to a separate > Informational document with Recommended=N for niche usage. > Again, this isn't what Recommended=Y/N means in the context of TLS. Rather, it means that it's generally OK, which is why we have four separate recommended EC curves. The mechanism for encouraging implementors to actually use/deploy a draft is SHOULD/MUST implement. -Ekr Mitigating algorithm profileration is a consideration, but security > heding is more important. It would be nice to get X25519 combined with > FrodoKEM, Classic McEliece, SNTRU, and more deployed for TLS too, so we > have options. I believe it makes more sense to add some other PQ KEM as > a StandardsTrack/MUST/Recommended than to have SecP256MLKEM768 there. > In fact, I would go further and say that we should progress two at the > same time, to not get into a single point of failure situation. > > /Simon > > Jan Schaumann <jschauma=40netmeister.org@dmarc.ietf.org> writes: > > > Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org> wrote: > >> This is the breakdown of client support Cloudflare sees (relative to > any PQ > >> support) in the last 24 hours by handshakes: > >> > >> 94% X25519MLKEM768 > >> 8.1% X25519Kyber768 > >> 0.038% MLKEM768 > >> 0.014% CECPQ2 > >> 0.012% MLKEM1024 > >> 0.002% SecP384MLKEM1024 > >> 0.002% SecP256MLKEM768 > >> 0.00005% MLKEM512 > >> 0.0000003% SecP256Kyber768 > > > > [...] > > > >> I can see an argument for Recommended=Y for both X25519MLKEM768 and > >> SecP384MLKEM1024, but I do not see any value in recommending both > >> X25519MLKEM768 and SecP256MLKEM768. > > > > On the flip side, and as just some data points here, I > > recently did a check[1] of which sites/providers offer > > PQC, and what key groups they support. Not > > surprisingly, it's almost all (and _only_) > > X25519MLKEM768. > > > > Amazon Cloudfront (as pretty much the only large > > service provider) offers SecP256r1MLKEM768. > > > > This is not surprising: AFAICT, the browsers only > > support X25519MLKEM768. If no servers offer anything > > else, then browsers have no incentive to implement > > other key groups; if no browsers offer other > > keygroups, then servers have no incentive to offer > > them. > > > > -Jan > > > > [1] https://www.netmeister.org/blog/pqc-use-2025-09.html > > > > _______________________________________________ > > TLS mailing list -- tls@ietf.org > > To unsubscribe send an email to tls-leave@ietf.org > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… David Adrian
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
- [TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
- [TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: [External] Re: Working Group Last Call … John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
- [TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
- [TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey