[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Eric Rescorla <ekr@rtfm.com> Mon, 20 October 2025 15:54 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 404B47835C2B for <tls@mail2.ietf.org>; Mon, 20 Oct 2025 08:54:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-kFeHeXhChS for <tls@mail2.ietf.org>; Mon, 20 Oct 2025 08:54:15 -0700 (PDT)
Received: from mail-yx1-xb135.google.com (mail-yx1-xb135.google.com [IPv6:2607:f8b0:4864:20::b135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A78CB783512D for <tls@ietf.org>; Mon, 20 Oct 2025 08:52:18 -0700 (PDT)
Received: by mail-yx1-xb135.google.com with SMTP id 956f58d0204a3-63e10cd6efeso4188902d50.0 for <tls@ietf.org>; Mon, 20 Oct 2025 08:52:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1760975538; x=1761580338; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MzxvjxkpT2P8jF1/rwp1yX8GYPvV1isqhsLTxBl1lPE=; b=nBithLbUIAcxpNuuAULr9+pIf838766aVOiDf3S7btrGQ/5MxL0l0x63iaz1gG9Mhb vIuX0rPK9ccLgZKwlPVjBCL8oWL8AszMm9193tjRX3yMwXmhWBoTL2SJDKHqNPYqzTO5 Flxa/qc2fyKzI32JaERZvRJzdHqC488k+jGS6eFM+3wRM+M7nHjw6MzHLd22T0I3QZr5 gnYFoZ42aPvxcpE+CQfzqDgaWDz2dAUz7wAm8xoe3+EsmfbtR5s95qI/VXJYlrChu/cD sMBUEFj7plA7J/QGV57JMcs4moIsOET7N+1E1MijkZ/ra/UXcnExBRYhvSB7EUwKIUKK /RJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760975538; x=1761580338; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MzxvjxkpT2P8jF1/rwp1yX8GYPvV1isqhsLTxBl1lPE=; b=qI7OTaW/aU4fvLwMnY4bBhqzRlay9YmZBqagbAPtbAeZXqJHIl3HOEecz+FXlf9BEa /wue9u6eoF/hGYZxXvWKc7syMHWPqLEfBxaa6n9UfSpLGsFc0BbKFGNF7edRm8wp1kG/ JNA7/K4qR4K7fz6OVKLLnTqFYdWQWHh1o4q5PsoG+BmTv4/S/KyOLeUFmOEi62LcGTg/ 8EMzlt56J4zT5CN9xHxBz90w7zXulMeNBs9v7V4N53bwVpbYsUzddtdkjCwECL4uWUCo qQEXvw++ltOSfP2YSMzkB5SG/6V1AdUWR3n5c0dgk9V5INJJmnx445vN7jq/kCkN0ybJ 4rCQ==
X-Forwarded-Encrypted: i=1; AJvYcCWiwQoJxwmywHL5/m6llqeWyGwOA7hUNMy7GPsuY/p5cIGI8UCsK3V7Fxe7oBZ1lMTg7Yg=@ietf.org
X-Gm-Message-State: AOJu0YxDmgiG0I/Q2QIA4N0H4eczXpc7hylMmUU63QKumASR5DetdMYW stqaF5SxeS8zD3HU4bJSyrsAqUFhKPL2cJOe0KxtDk9dHga6dB3kWKQa6dcpYr6TaDrJ19AIjO7 kdETjVbfO9IkFC9CrK5daFfbjJAlVP6ePtrTjii/XPg==
X-Gm-Gg: ASbGncsW56wL+ijnzK9tb/XxSShr/ELYXMoUafZoexx0rwWEdJGx4OxAAbZlbOnfu9c PSjZTGTJ/JUvp8yfIIyRBhco3xycsE6drqjPdGD/Qv/hQwI/WOX6fQXJOKNFjCs53l4gFhg/o1W BkfL9wYSGrC9g+tc2XVzb2H5oEL+CYL/iIgyW7iWGVstgT0ygFfVRLccIHDDLRao/g6CetD9tXV ZzS5oWtpoD4XvtrrkHcQg1GOfRH4Q+DfjlbQn5bDgrH9PmwmoESBFJ8shth2zsofaRu3b6JjZhV w6pGEKRr6iCRCQzHdRuD85fI7NrqPu9I9xScs0P9HKLhV2xaN4jAX7FwiIzlJjEMC2iuYB5Cj6U =
X-Google-Smtp-Source: AGHT+IHJD49QZaXbCS5juQaGW3GiapHOknYt8LM+MPYmYpVzMzWwSD10RVGxDdYiWcj8d/0Xfbuz0s/8DwJvZfwvtfc=
X-Received: by 2002:a05:690c:81:b0:77f:a55e:d766 with SMTP id 00721157ae682-7836d2edea1mr223671317b3.45.1760975538104; Mon, 20 Oct 2025 08:52:18 -0700 (PDT)
MIME-Version: 1.0
References: <GVXPR07MB9678ADD1D3268BB055751EA989F5A@GVXPR07MB9678.eurprd07.prod.outlook.com> <CABcZeBOH289QVSZomDfE8dUK5oB7kM0i_66s3S260WOjyTp4kw@mail.gmail.com> <871pmxip86.fsf@josefsson.org>
In-Reply-To: <871pmxip86.fsf@josefsson.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 20 Oct 2025 08:51:41 -0700
X-Gm-Features: AS18NWBkLrx9CAmzG-YrS8q0zzXwL7VyuG0M5YHkkQIz8Est_n6mISyWuUwDkok
Message-ID: <CABcZeBOCRhj5tSS-Mj=ZiLpW_BirKMeKYCZfezKNA1-CyZ96qg@mail.gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: multipart/alternative; boundary="00000000000068395706419911b0"
Message-ID-Hash: TETRAAXPAHVT7Q7PHQ5K7FOJNWABZWWD
X-Message-ID-Hash: TETRAAXPAHVT7Q7PHQ5K7FOJNWABZWWD
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Kris Kwiatkowski <kris=40amongbytes.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MhHTCcC67ZWghN9xZ1BH02X1qqs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Mon, Oct 20, 2025 at 8:10 AM Simon Josefsson <simon@josefsson.org> wrote: > Eric Rescorla <ekr@rtfm.com> writes: > > >> *EKR wrote:*>It's purely about whether we think it's reasonable to > implement. > >> > >> This is the current meaning. RFC8447bis will change the meaning to: > >> > >> “This only means that the associated mechanism is fit for the > >> purpose for which it was defined.” > > > > Right. Is it not the opinion of the TLS WG that P256/P-384 + MLKEM are > fit > > for that purpose? > > RFC8447bis requires IETF-consensus. I don't think that question has > been asked IETF-wide at all so far, has it? Has there been any > consensus call in the TLS WG on that question even? So we don't really > know. > RFC 8447bis has already been IETF Last Called and approved by the IESG, and is in the RFC Editor Queue now. https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8447bis/ > If not, on what basis, given that we require you to implement P-256 alone? > > I don't think this comparison with historic MTI of P-256 alone is > relevant for deciding about P256+MLDSA today. > It's not just historic. RFC 8446bis (also in the RFC Editor queue) continues require it. https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8446bis/ It is reasonable that we required you to implement something a couple of > years ago that we wouldn't require you to implement today, but we > haven't gotten around to publishing an updated document. > As above, we are in fact publishing an updated document which requires it. Compare the migration away from MD4, MD5, DSA, DES, RC4. The tendency > to move beyond those algorithms happened long time before we got around > to drop them from recommended/MTI status Well, MD4, RC4, and DES were never MTI in TLS at least. the MTI in TLS 1.2 was: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ( https://www.rfc-editor.org/rfc/rfc2246#section-9) I tend to agree with you about DSA. Even at the time TLS 1.0 was published, RSA was far more common, but as you know, there were concerns about IPR. MD5 is a special case because it was baked into the core of SSLv3 and TLS 1.0, so you had to implement it as part of the transcript hash, but, as noted above, it was not MTI otherwise. The concept of "Recommended=Y/N" didn't apply at the time these algorithms were in wide use. By that line of reasoning, it would make sense to standardize and make > MTI the brainpoolP256 curve too. I don't think that is reasonable > today, so I think the analogy is invalid as an argument. > I don't understand this line of reasoning at all. The TLS WG made a specific decision about what curves to make MTI at the time TLS 1.3 was specified and decided not to include Brainpool. -Ekr
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… David Adrian
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
- [TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
- [TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: [External] Re: Working Group Last Call … John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
- [TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
- [TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey