[TLS] Re: draft-connolly-tls-mlkem-key-agreement
Deirdre Connolly <durumcrustulum@gmail.com> Fri, 06 December 2024 22:36 UTC
Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC2FC14F703 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2024 14:36:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDZA4RBLilkA for <tls@ietfa.amsl.com>; Fri, 6 Dec 2024 14:36:13 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E583C14F6EE for <tls@ietf.org>; Fri, 6 Dec 2024 14:36:13 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-385ef8b64b3so2077673f8f.0 for <tls@ietf.org>; Fri, 06 Dec 2024 14:36:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733524572; x=1734129372; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ocyuym8rFuvLTolHCs1A3WccQRtvk+2zzvW2AK1ZHHU=; b=ZPmpfOl2AVEnX8S8fORjhoLZOvOMuskuW7+OXfB7OdSRoir5hks0ePp4qGpk3KMnRG QD4YyWf01V+Mi9S04tOCp6zbtfMOePj7Bxwe5d5bu9CtArQ/DpfZ8DvDGDDBLHixNfkf l6+wH4NgpCnd8BuOfwFcMhsA+sPjeX2vPQmryhMAZ0/eWmCkaz7tOUuOM4DiaTz8/bfd Cv906FLqwSfM6EEwsJIBT3dLBVVqM7T36JI96rstYTq5ASE+hSTWyxG/onqGALq8v0pm w29BBo59jMyj1ZJd8aL67+cONJlV7p2cEF7h1SwLIJ3yyMBw5WIPspFnwhBw0WI9gbXa y7Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733524572; x=1734129372; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ocyuym8rFuvLTolHCs1A3WccQRtvk+2zzvW2AK1ZHHU=; b=ecFAc64tvfWzhYifIuyGpJ1nGlE4Aj6E7ktiR11t9z7f5EF+n4RyHAgQKECAa4ACZP rX+f1saBNJKU89bbQ7psnOPhqtmD/T95Ubo4X9D4J7XOfG+o331DBqcm1in9/tIyo7TH fOyS3YnLjNZ/akMzNu5nwgWMUpC8IZb6moJVwM7oR6ua5pIfsV2o9/5/t7EDe/L3LOXC MUkliDseF4TYL3f7IS/wDtM9p+ajVU+L2ijWSbt2SgAid3G9IhXUg9I2mebeyrGPCUK8 jofyyRPn28NDL5QPzL3vvNS4hpaX4/vNlCV6Vcfnt+aiUkv4QW1s+G1Ntb1J5JF9i3LR RLdA==
X-Forwarded-Encrypted: i=1; AJvYcCWcr2UAgbyqA3HNBFDDKPI1nggrRdQxU8pcj7O6mCpUmkf7dUtvxY7q/jMS64rLUahaDQ8=@ietf.org
X-Gm-Message-State: AOJu0YyUPwrJPFTAfVkUdd0Y+dB6swujEX441fo6/yHO+ixfj26S7V8Y Oa5oXisV2RUrfndVL1YAN+0Lbe6BevpudkKH/kWb2ueqln3cXI2bN2n8wkzuKX1sQW457YpALXH QhSMRy7mH16yCQewkL8w5wbWash93Ew==
X-Gm-Gg: ASbGncsBz8u7XdUEtVxyc4ghI5DF20bpNNBmxERsebLqFK7iyhbyh5hR6sgMOTP/Ln9 THB5/094dwNFqVDH9Dq6BlAsqRFt5THxzO4LB8YikfXuyJOrHn/BDT/KW9SJTxLsh
X-Google-Smtp-Source: AGHT+IHLQY7G0Kfrai0tpvnud16l28pMcsMotC4eVHsL/r7yFwASxlvQ0IocOSd4FvWTRFq6efS+tvt2c8vP/nG536I=
X-Received: by 2002:a5d:6d8d:0:b0:385:ddd2:6ab7 with SMTP id ffacd0b85a97d-3862b3cf297mr3805534f8f.52.1733524570786; Fri, 06 Dec 2024 14:36:10 -0800 (PST)
MIME-Version: 1.0
References: <CH0PR11MB5444342A5C29C5C5BCCF9BA3C1302@CH0PR11MB5444.namprd11.prod.outlook.com> <20241206172906.124753.qmail@cr.yp.to> <CAAWw3RinB6WKCzLaFjds63Mgoykt-2haaD9rQEsFv2k_b8RJzw@mail.gmail.com> <CH0PR11MB5444B4B1006A10D99DBAB394C1312@CH0PR11MB5444.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5444B4B1006A10D99DBAB394C1312@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Fri, 06 Dec 2024 17:36:00 -0500
Message-ID: <CAFR824zg2pL0e+QF0oAL4ry3S+N716tEoDUTMukJzyEWpktLFg@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000405a670628a1a480"
Message-ID-Hash: GBLJRSQYN73EFAF6EPLGIH76JMYAHNV7
X-Message-ID-Hash: GBLJRSQYN73EFAF6EPLGIH76JMYAHNV7
X-MailFrom: neried7@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: draft-connolly-tls-mlkem-key-agreement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LY4qnbZHcPtuLawqoVlJ5V8Tif4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
> Hence, Cisco will implement it; I am essentially just asking for code points. Code points have been allocated: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 https://www.ietf.org/archive/id/draft-connolly-tls-mlkem-key-agreement-05.html#name-iana-considerations On Fri, Dec 6, 2024, 5:23 PM Scott Fluhrer (sfluhrer) <sfluhrer= 40cisco.com@dmarc.ietf.org> wrote: > Well, I am on the same page that ‘pure ML-KEM’ should be one option. > While I would agree with you that hybrid makes sense (and should be another > option), I am not as inclined as some people to say “and that is so clearly > the right trade-off that we should forbid any other option”. There are > people whose cryptographic expertise I cannot doubt who say that pure > ML-KEM is the right trade-off for them, and more importantly for my > employer, that’s what they’re willing to buy. Hence, Cisco will implement > it; I am essentially just asking for code points. > > > > As for it accidentally becoming “MTI”, well I’m pretty sure that won’t > happen (barring Q-day happening and the current hybrid key exchanges no > longer making sense). > > > > As for people implementing it instead of hybrid, well, the working group > can help to prevent that by moving ahead with the hybrid draft (hint, hint). > > > > *From:* Andrey Jivsov <crypto@brainhub.org> > *Sent:* Friday, December 6, 2024 3:44 PM > *To:* TLS@ietf.org > *Subject:* [TLS] Re: draft-connolly-tls-mlkem-key-agreement > > > > I second D.J. Bernstein's concerns, but my other issue with giving options > like this is that they will creep up into MTI sets or default sets, with > higher priority than hybrids. > > > > I find it less ideal that the document on pure ML-KEM (or signature) and > hybrids are disassociated, causing the progress of standardization of the > pure version to bring these other concerns. > > > > So, as long as everyone is on the same page that pure is just one option, > perhaps for strict compliance with CNSA 2.0, then there is no issue from my > perspective, but that's a (mildly) controversial part. > > > > On Fri, Dec 6, 2024 at 9:29 AM D. J. Bernstein <djb@cr.yp.to> wrote: > > Scott Fluhrer (sfluhrer) writes: > > I understand that people want to discuss the hybrid KEM draft more > > (because there are more options there) - can we at least get the less > > controversial part done? > > See https://blog.cr.yp.to/20240102-hybrid.html. Using just PQ, rather > than ECC+PQ, would incur security risks without improving deployment. > Regarding "less controversial", you might have missed previous TLS WG > messages such as > > https://mailarchive.ietf.org/arch/msg/tls/j1qkfNmk33OZ7hgCR53TiLmYOiA/ > https://mailarchive.ietf.org/arch/msg/tls/I1GPuKLCBJ3jA-ovNcuIsLlNGkM/ > https://mailarchive.ietf.org/arch/msg/tls/gB55YMMdfFLqaCE9ughNXX8qjtA/ > > where various people (including me, obviously) already objected. Also, > you might have missed BSI writing in > > > https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile > > that its post-quantum KEM recommendations are only "in combination with > a classical key derivation mechanism"; commentator Matt Green writing in > > https://x.com/matthew_d_green/status/1742521204026622011 > > that NSA's "stance against hybrid encryption makes absolutely zero > sense"; and NSA itself in > > > https://web.archive.org/web/20220524232250/https://www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf > <https://web.archive.org/web/20220524232250/https:/www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf> > > asking for two cryptographic layers "to mitigate the ability of an > adversary to exploit a single cryptographic implementation". > > ---D. J. Bernstein > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Watson Ladd
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Jay Daley
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Russ Housley
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Andrey Jivsov
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Deirdre Connolly
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Scott Fluhrer (sfluhrer)
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Salz, Rich
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement John Mattsson
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Alicja Kario
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Andrei Popov
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Sean Turner
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Filippo Valsorda
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Rob Sayre
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Santosh Chokhani
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Jay Daley
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Sophie Schmieg
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Jay Daley
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Dan Harkins
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Jay Daley
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Sophie Schmieg
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Deirdre Connolly
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Joseph Salowey
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Deirdre Connolly
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Viktor Dukhovni
- [TLS] draft-connolly-tls-mlkem-key-agreement Scott Fluhrer (sfluhrer)
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement John Mattsson
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Scott Fluhrer (sfluhrer)
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Salz, Rich
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Filippo Valsorda
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement John Mattsson
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Stephen Farrell
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Viktor Dukhovni
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Loganaden Velvindron
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Stephen Farrell
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… John Mattsson
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement John Mattsson
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Joseph Birr-Pixton
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement John Mattsson
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… John Mattsson
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Alicja Kario
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Bas Westerbaan
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… Watson Ladd
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… D. J. Bernstein
- [TLS] Re: draft-connolly-tls-mlkem-key-agreement Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: draft-connolly-tls-mlkem-key-… D. J. Bernstein