[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

"Kampanakis, Panos" <kpanos@amazon.com> Fri, 10 October 2025 14:43 UTC

Thread-Topic: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Watson Ladd <watsonbladd@gmail.com>, "D. J. Bernstein" <djb@cr.yp.to>
Thread-Index: AQHcOTZUpSlTa2ywf06ioDBFiNy9y7S6rNbwgAAdp4CAAFB/gIAAUlSAgAAHAcA=
Date: Fri, 10 Oct 2025 14:43:24 +0000
Message-ID: <DM5PR18MB2326019DC4CCD1F6B96A41E0ABEFA@DM5PR18MB2326.namprd18.prod.outlook.com>
References: <CAOgPGoA+c8kXDizwsvFG5tLz9+Kxk0HqiN1skKp5jMvvpxeu0Q@mail.gmail.com> <20251009160139.42473.qmail@cr.yp.to> <DM5PR18MB2326D93261B74BECF06061B4ABEFA@DM5PR18MB2326.namprd18.prod.outlook.com> <CACsn0c=ykksQG1P-gXYsL9v624E281a+4g0-qSjdky+SMtkKPQ@mail.gmail.com> <eb65d505-2375-4870-9df0-453666391770@app.fastmail.com> <CACsn0cmqFuzwQz4a_ZmpYbBqyPM8bAokjGeQtj4-xgq1tHSnDQ@mail.gmail.com>
In-Reply-To: <CACsn0cmqFuzwQz4a_ZmpYbBqyPM8bAokjGeQtj4-xgq1tHSnDQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JSXhBvweKw2er9o0UVZeqrEzB3hJLZKufVeXR6aOoMomXFkZgxvGUq6cu0ETI0URvm7NkR2RF4udnJziQ4RGW0h8QBgyRWIh0Sh4KI6SAotc7rFDF1aNsgaQ8F03ME8UjoL9kWuH5WuR52CfJpem+OtlwSGNcQw60riFhVj/COp1SWYnZrcYt295f8gTFn0AFh8m0ede8Uta3wCDNbIjPiFdCgxqIeUJHtLLNfPFccyKNK+4lQb+jCuijcWEbD1djIbr3TebDTKh/pe0Ln8mzcJBZAcTSe++86VeilbEcNCm8EZRdSNpnb3hfBBqmDByWd8rIxUrvHcADGY1ralaWb+Dt54Yq04JhX2qdpAiBQVOmuIT9ou0knuAH6OlHBvaL2BWE57SKenHRJAXvmjjYfrNc38IpSLjvLELsvjf5vaT5p03heGUoIi0IVRFf3nDmfRivybI56IQOPrr3LGCZ3w0Ht1zwWowy/1L1zpGv9zLs6Pcheq1qbvDanvNxXhJ0fbuT/Fy6Zv3lLx2KV8JPdKMtpf94JuKsr2rjJMe381DR5ozFGPRrxD6ovIWo6EPUfE9hhR7LHm+ZRK5jR3WJe5oZlRa8ItbCTzb5oQ/mjDj3fq6yahl3ygl2cQcRqr1uvYr53WlTy8KJy1ZDOFCUT6D6KbW3kMoE9MOoxfOsLI81NKuRZxb5YIefKxFdUEFtKbfzf1b+YZMklwwVFy4S9GlTqrBeUXKOv3CkUoZ+kyGkfieeRl1ttem6FMquykXDuEBNABL3yVCsZnbwG6iDc0CIvuIFmO+k7dzJfJdlZs+Q65dYkDykrfIwap+wE4TkDM3ttMDIkNUhPu1Zc3oNNFlh7DBF245qMB1mxL2tojtBa61y+85eMRuvx/A2Niw4BTsCxUYc0sHO68gAHbNaC73ZWooQzTok/wrLh2eBDZZmkwUHxcyCEyLVqAFt1aljmA1queFoIEN3PoMHIqIqQKq0tcc7p+mSf7S8whOFKekSWN+93X7SDBsU7Ua+RXKdl3zXFkNhIx1b2boH/gnFIPDNRMUpYndG2bzZb2XDPEhftDWQPkQK27PtPQR9VvuQL5KMHH/9InxORmsLz+hz+iKQ2HHmPWPq7C4wxuSjVISh0g15OwE7WPIwf5jNh9qku8tEt2+att2CbRrmlC6SRg7aK04YNtABU4FOTUXJFQjo5m/rtwXXSBG0bkMcNThAWfyFgTQHl6pgAYDFJT/n8dstcksZvmXoSY2wlINHGgmBo7qGvR26o+c9o22QSFp7viWYAH+FO0kRIud1cShGoM/OXbXfahTorNyc3flVj4oDowGoM2zSjWLfST4IpasYisMpe1U+7qcqhE2ESVLXXhsP9DnWkwMuCHNse/rqneShfzMOXpM5zLD/dv1YDzdhDcJHQs7Xfo86ilBNU13Y4c/LyKNUUe+5nTg6xoLQ8slic+zDN35LebDO25slzBYeroofSuGauNoneykkYFVkXnAJu8yu7y7MYb/LZKEYKH81Y1BigZhlwLl9wisEGjYVzMJJ9ju9iUOhGE4nxpMev/0naLcGGv+tHcSliKd+Uw=
Content-Type: multipart/alternative; boundary="_000_DM5PR18MB2326019DC4CCD1F6B96A41E0ABEFADM5PR18MB2326namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM5PR18MB2326.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5a24a29-403d-45c2-095b-08de080b5db6
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2025 14:43:24.2739 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5280104a-472d-4538-9ccf-1e1d0efe8b1b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: m1ZvkZnAxJTZaTCEfXLyplYRK4IqRafbpKRWij0t20EVYK5vWIzoiHM+qE3hrcyoGSoM9u7XP0RrBjPATCwKgw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PPFAADA11AF7
X-OriginatorOrg: amazon.com
Message-ID-Hash: XOX74VULUEY2IIPRADRXTNDVSAS3M2DF
X-Message-ID-Hash: XOX74VULUEY2IIPRADRXTNDVSAS3M2DF
X-MailFrom: prvs=371f8d6b6=kpanos@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LrAjUJLecqfbFKwsnyEdapsiRjw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Here is an idea: Write a “Deprecate ECDH with P256, P384 in IETF standards because they are insecure” draft like RFC9155<https://datatracker.ietf.org/doc/rfc9155/draft>.

Until then, let’s standardize the already assigned codepoints. More codepoints can come in separate drafts.

From: Watson Ladd <watsonbladd@gmail.com>
Sent: Friday, October 10, 2025 10:12 AM
To: Filippo Valsorda <filippo@ml.filippo.io>
Cc: Kampanakis, Panos <kpanos@amazon.com>; D. J. Bernstein <djb@cr.yp.to>; TLS List <tls@ietf.org>
Subject: RE: [EXTERNAL] [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

On Fri, Oct 10, 2025, 2:19 AM Filippo Valsorda <filippo@ml.filippo.io<mailto:filippo@ml.filippo.io>> wrote:
2025-10-10 06:29 GMT+02:00 Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>>:
That's just objectively true.

In 2014 I exploited a number of TLS implementations, ranging from browsers to embedded devices, exploiting incomplete formulas, failure to check y etc. All these problems don't happen with X25519, which is why it rapidly saw adoption.

Do any of those attacks work against implementations that don't reuse ephemeral key shares (which thankfully are most of them now, to the point we've been discussing finally making it a MUST)?

Yes. For instance one of the vulnerabilities was a DoS due to a division algorithm that couldn't handle zero.

My understanding is that those attacks (and ~all the criteria in the "safecurves" webpage, last updated in 2017) are as irrelevant to authenticated ephemeral ECDH as the many cofactor attacks against Curve25519-based cryptosystems.

There's also  very poor performance of P384 and to a lesser degree P256.

(With apologies for indirectly taking the bait on suspicious CIA techniques<https://web.archive.org/web/20250726032250/http:/svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html>.)

On Thu, Oct 9, 2025, 8:03 PM Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote:
P256 and P384 are risky choices now and the solution is for the draft to include only your curves with MLKEM768 or 1024? Come on man!

-----Original Message-----
From: D. J. Bernstein <djb@cr.yp.to<mailto:djb@cr.yp.to>>
Sent: Thursday, October 9, 2025 12:02 PM
To: tls@ietf.org<mailto:tls@ietf.org>
Subject: [EXTERNAL] [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

It's good from a security perspective to see the increasing deployment of post-quantum cryptography. The most widely deployed option in this draft, namely X25519MLKEM768, is reportedly supported by ~40% of clients and ~30% of the top 100K servers, so presumably it covers ~10% of TLS traffic already, which is a big step above 0%.

Regarding the choice of ML-KEM, the _hope_ that ML-KEM will protect against quantum attacks shouldn't blind us to the _risk_ of ML-KEM being breakable. Many other post-quantum proposals have been publicly broken (see https://cr.yp.to/papers.html#qrcsp for a survey), including various proposals from experienced teams. Kyber/ML-KEM itself has seen quite a few vulnerabilities over the past 24 months, such as the following:

    * KyberSlash1 and KyberSlash2 (see https://kyberslash.cr.yp.to)
      prompted two rounds of security patches to the majority of ML-KEM
      implementations, including the reference code.

    * https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU
      prompted another round of ML-KEM security patches.

    * https://eprint.iacr.org/2024/080 showed that NIST's claims of many
      bits of extra ML-KEM security from memory-access costs---see
      https://web.archive.org/web/20231219201240/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/faq/Kyber-512-FAQ.pdf<https://web.archive.org/web/20231219201240/https:/csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/faq/Kyber-512-FAQ.pdf>
      ---are, asymptotically, completely wrong for 3-dimensional attack
      hardware and almost completely wrong for 2-dimensional attack
      hardware.

    * https://eprint.iacr.org/2024/739 showed that the same claims from
      NIST are, on real hardware, almost completely wrong. NIST has not
      withdrawn the claims but also has not disputed these papers.

    * https://link.springer.com/chapter/10.1007/978-3-032-01855-7_15
      debunked previous claims that "dual attacks" don't work, and
      concluded that none of the ML-KEM parameter sets reach their
      claimed security levels. A Kyber team member has disputed this
      conclusion, writing "there remains a few bits to be gained by
      cryptanalysts before the security levels would be convincingly
      crossed", but in any case this falls far short of the security
      margin that NIST was claiming just two years ago.

[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… David Adrian
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
[TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
[TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: [External] Re: Working Group Last Call … John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
[TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
[TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey