[TLS] Re: draft-connolly-tls-mlkem-key-agreement

Deirdre Connolly <durumcrustulum@gmail.com> Fri, 06 December 2024 22:36 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC2FC14F703 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2024 14:36:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDZA4RBLilkA for <tls@ietfa.amsl.com>; Fri, 6 Dec 2024 14:36:13 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E583C14F6EE for <tls@ietf.org>; Fri, 6 Dec 2024 14:36:13 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-385ef8b64b3so2077673f8f.0 for <tls@ietf.org>; Fri, 06 Dec 2024 14:36:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733524572; x=1734129372; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ocyuym8rFuvLTolHCs1A3WccQRtvk+2zzvW2AK1ZHHU=; b=ZPmpfOl2AVEnX8S8fORjhoLZOvOMuskuW7+OXfB7OdSRoir5hks0ePp4qGpk3KMnRG QD4YyWf01V+Mi9S04tOCp6zbtfMOePj7Bxwe5d5bu9CtArQ/DpfZ8DvDGDDBLHixNfkf l6+wH4NgpCnd8BuOfwFcMhsA+sPjeX2vPQmryhMAZ0/eWmCkaz7tOUuOM4DiaTz8/bfd Cv906FLqwSfM6EEwsJIBT3dLBVVqM7T36JI96rstYTq5ASE+hSTWyxG/onqGALq8v0pm w29BBo59jMyj1ZJd8aL67+cONJlV7p2cEF7h1SwLIJ3yyMBw5WIPspFnwhBw0WI9gbXa y7Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733524572; x=1734129372; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ocyuym8rFuvLTolHCs1A3WccQRtvk+2zzvW2AK1ZHHU=; b=ecFAc64tvfWzhYifIuyGpJ1nGlE4Aj6E7ktiR11t9z7f5EF+n4RyHAgQKECAa4ACZP rX+f1saBNJKU89bbQ7psnOPhqtmD/T95Ubo4X9D4J7XOfG+o331DBqcm1in9/tIyo7TH fOyS3YnLjNZ/akMzNu5nwgWMUpC8IZb6moJVwM7oR6ua5pIfsV2o9/5/t7EDe/L3LOXC MUkliDseF4TYL3f7IS/wDtM9p+ajVU+L2ijWSbt2SgAid3G9IhXUg9I2mebeyrGPCUK8 jofyyRPn28NDL5QPzL3vvNS4hpaX4/vNlCV6Vcfnt+aiUkv4QW1s+G1Ntb1J5JF9i3LR RLdA==
X-Forwarded-Encrypted: i=1; AJvYcCWcr2UAgbyqA3HNBFDDKPI1nggrRdQxU8pcj7O6mCpUmkf7dUtvxY7q/jMS64rLUahaDQ8=@ietf.org
X-Gm-Message-State: AOJu0YyUPwrJPFTAfVkUdd0Y+dB6swujEX441fo6/yHO+ixfj26S7V8Y Oa5oXisV2RUrfndVL1YAN+0Lbe6BevpudkKH/kWb2ueqln3cXI2bN2n8wkzuKX1sQW457YpALXH QhSMRy7mH16yCQewkL8w5wbWash93Ew==
X-Gm-Gg: ASbGncsBz8u7XdUEtVxyc4ghI5DF20bpNNBmxERsebLqFK7iyhbyh5hR6sgMOTP/Ln9 THB5/094dwNFqVDH9Dq6BlAsqRFt5THxzO4LB8YikfXuyJOrHn/BDT/KW9SJTxLsh
X-Google-Smtp-Source: AGHT+IHLQY7G0Kfrai0tpvnud16l28pMcsMotC4eVHsL/r7yFwASxlvQ0IocOSd4FvWTRFq6efS+tvt2c8vP/nG536I=
X-Received: by 2002:a5d:6d8d:0:b0:385:ddd2:6ab7 with SMTP id ffacd0b85a97d-3862b3cf297mr3805534f8f.52.1733524570786; Fri, 06 Dec 2024 14:36:10 -0800 (PST)
MIME-Version: 1.0
References: <CH0PR11MB5444342A5C29C5C5BCCF9BA3C1302@CH0PR11MB5444.namprd11.prod.outlook.com> <20241206172906.124753.qmail@cr.yp.to> <CAAWw3RinB6WKCzLaFjds63Mgoykt-2haaD9rQEsFv2k_b8RJzw@mail.gmail.com> <CH0PR11MB5444B4B1006A10D99DBAB394C1312@CH0PR11MB5444.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5444B4B1006A10D99DBAB394C1312@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Fri, 06 Dec 2024 17:36:00 -0500
Message-ID: <CAFR824zg2pL0e+QF0oAL4ry3S+N716tEoDUTMukJzyEWpktLFg@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000405a670628a1a480"
Message-ID-Hash: GBLJRSQYN73EFAF6EPLGIH76JMYAHNV7
X-Message-ID-Hash: GBLJRSQYN73EFAF6EPLGIH76JMYAHNV7
X-MailFrom: neried7@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: draft-connolly-tls-mlkem-key-agreement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LY4qnbZHcPtuLawqoVlJ5V8Tif4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> Hence, Cisco will implement it; I am essentially just asking for code
points.


Code points have been allocated:


https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8

https://www.ietf.org/archive/id/draft-connolly-tls-mlkem-key-agreement-05.html#name-iana-considerations


On Fri, Dec 6, 2024, 5:23 PM Scott Fluhrer (sfluhrer) <sfluhrer=
40cisco.com@dmarc.ietf.org> wrote:

> Well, I am on the same page that ‘pure ML-KEM’ should be one option.
> While I would agree with you that hybrid makes sense (and should be another
> option), I am not as inclined as some people to say “and that is so clearly
> the right trade-off that we should forbid any other option”.  There are
> people whose cryptographic expertise I cannot doubt who say that pure
> ML-KEM is the right trade-off for them, and more importantly for my
> employer, that’s what they’re willing to buy.  Hence, Cisco will implement
> it; I am essentially just asking for code points.
>
>
>
> As for it accidentally becoming “MTI”, well I’m pretty sure that won’t
> happen (barring Q-day happening and the current hybrid key exchanges no
> longer making sense).
>
>
>
> As for people implementing it instead of hybrid, well, the working group
> can help to prevent that by moving ahead with the hybrid draft (hint, hint).
>
>
>
> *From:* Andrey Jivsov <crypto@brainhub.org>
> *Sent:* Friday, December 6, 2024 3:44 PM
> *To:* TLS@ietf.org
> *Subject:* [TLS] Re: draft-connolly-tls-mlkem-key-agreement
>
>
>
> I second D.J. Bernstein's concerns, but my other issue with giving options
> like this is that they will creep up into MTI sets or default sets, with
> higher priority than hybrids.
>
>
>
> I find it less ideal that the document on pure ML-KEM (or signature) and
> hybrids are disassociated, causing the progress of standardization of the
> pure version to bring these other concerns.
>
>
>
> So, as long as everyone is on the same page that pure is just one option,
> perhaps for strict compliance with CNSA 2.0, then there is no issue from my
> perspective, but that's a (mildly) controversial part.
>
>
>
> On Fri, Dec 6, 2024 at 9:29 AM D. J. Bernstein <djb@cr.yp.to> wrote:
>
> Scott Fluhrer (sfluhrer) writes:
> > I understand that people want to discuss the hybrid KEM draft more
> > (because there are more options there) - can we at least get the less
> > controversial part done?
>
> See https://blog.cr.yp.to/20240102-hybrid.html. Using just PQ, rather
> than ECC+PQ, would incur security risks without improving deployment.
> Regarding "less controversial", you might have missed previous TLS WG
> messages such as
>
>     https://mailarchive.ietf.org/arch/msg/tls/j1qkfNmk33OZ7hgCR53TiLmYOiA/
>     https://mailarchive.ietf.org/arch/msg/tls/I1GPuKLCBJ3jA-ovNcuIsLlNGkM/
>     https://mailarchive.ietf.org/arch/msg/tls/gB55YMMdfFLqaCE9ughNXX8qjtA/
>
> where various people (including me, obviously) already objected. Also,
> you might have missed BSI writing in
>
>
> https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile
>
> that its post-quantum KEM recommendations are only "in combination with
> a classical key derivation mechanism"; commentator Matt Green writing in
>
>     https://x.com/matthew_d_green/status/1742521204026622011
>
> that NSA's "stance against hybrid encryption makes absolutely zero
> sense"; and NSA itself in
>
>
> https://web.archive.org/web/20220524232250/https://www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf
> <https://web.archive.org/web/20220524232250/https:/www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf>
>
> asking for two cryptographic layers "to mitigate the ability of an
> adversary to exploit a single cryptographic implementation".
>
> ---D. J. Bernstein
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>