IETF Logo Mail Archive

[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3

John Mattsson <john.mattsson@ericsson.com> Wed, 22 October 2025 06:53 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 54BBA7A215F3 for <tls@mail2.ietf.org>; Tue, 21 Oct 2025 23:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xuuwuUR46g-O for <tls@mail2.ietf.org>; Tue, 21 Oct 2025 23:53:54 -0700 (PDT)
Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazon11013069.outbound.protection.outlook.com [40.107.162.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1E4107A2157C for <tls@ietf.org>; Tue, 21 Oct 2025 23:53:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JrNZSJaCo7GPSMI7gsSIXdm44Cq+KVJjYYpYfd0rNhwivvYCpkV2ULS7NtmHYluGpxIo8cGbZ7kjiT1QlMZ7xZtAx+f+94Y4YR+SCEt/QTir1AJ4oKHmlNhTG0tJLSGJHyA3cQJeJkgisshFkjZN5p7vh8Tf+IgsssERyyAiH+HxMQ5hs3aniS8gPyPP4087i4fxn/sqbkfJv178wtG07pzAXei/Z5ZjmJsZQs4AfBgHbpwBlPAYNuG+9xK69YueE8RMWoG6jpk3MLIfDx69G1+G/damUTx+hGa1dhDQubmTw+sdtCaNA4vph1d3W0Q6VpVLKKCurA3yV+xv0MmGpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CV4kNio690GL7O4p40D2mJNWGUx6CJe47enNgU4sv1U=; b=aDeZ0eVKJIlwSI37FOkzVhom7mt4wZldiMLje9BzoJnSu52YaSFkxTrS0kmTina6bUO1UVOYLXtdZK2acMzh7p8Ip+92zK96sWaTgME+CbzqidK2i97nofrW+KitZLuKsgoQuV5c+NvJ8Y+Bbr9DKZbkYOpef8n4zZ5iEh+t/dR4LtVUw4BXQ6mvidyRresaHCxIbWlwCJfNRJsFjuHWaVZc5wiupF/0XU1G7jxnYCZV6xo5itcGyprzgrsGP12AeQnhyBWf1fYvg0393HjlG0ojJo+sVUxH+GsbYG4nsNfEzlI/2rraSYnlqKKbbW9lFYRQZzC5WeAD/J7EOMPpyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CV4kNio690GL7O4p40D2mJNWGUx6CJe47enNgU4sv1U=; b=S7vRjGQayvszHsarIb2OE3vL3UYl/o2F0Xoq3SeHSlT/gdzWA2KRwqqaCH0YWlKnKHuiYMt2MndiTxnVnNXUnZFQmg+aq8nT7VdcwfPVUBYNftrw8Urf11AFuKFBuO60zTARdZYiibP28cZdgEHWq4zbg0MPRin8jFcs/CSCQHWSwSJHRMkAGadQ8cfpr9wYfRMXKGpM1pWmPkeU+wI2nBGRUtJ225XYjF7GYOTeKAfWAbfF51UjvaPAQFSbDtXKudd5sxwnBbowrckj/SIvdg0vgAdBSzfS04RJcwY0/LkgQzioAG1kb5XwV6y+gwNi6sktunYX0SiCrMBBIMJsUw==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PAXPR07MB7728.eurprd07.prod.outlook.com (2603:10a6:102:15d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.12; Wed, 22 Oct 2025 06:53:27 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%3]) with mapi id 15.20.9253.011; Wed, 22 Oct 2025 06:53:26 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Sophie Schmieg <sschmieg@google.com>, Alicja Kario <hkario=40redhat.com@dmarc.ietf.org>
Thread-Topic: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
Thread-Index: AQHcQxzHSUyrO4U4ykKcEVwaZg+9Uw==
Date: Wed, 22 Oct 2025 06:53:26 +0000
Message-ID: <GVXPR07MB9678A85ACD8002245C3F999289F3A@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PAXPR07MB7728:EE_
x-ms-office365-filtering-correlation-id: 8cd7a9e1-7165-4ce9-061a-08de1137b38a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|8096899003|7053199007|38070700021;
x-microsoft-antispam-message-info: 1Qd/mSw4WzoIKx4pdveOV+B5sKUpA3OGJrW6N7UtqPq9hfk30pd4ck6LpeS9G/Ou7UrCxqcNnoXCTOsCItyB1dAeujT4sFAg4qpqgzM1Rd0+4FLfnsOguzIanV6hED2Mjy9f/OfbMmBnO/v/Jv6/Yhq1W6v9bsSFMC3rhjHxx7byt/RKPq2oVyIcl/zhmZ7OB0GpXijrvQTZKHCjFhcFiKxOSN4Fevv2o0XEgRONuMVj5rb/yLUsxOR206zXkormYbyr7TZw+w+OFwgp3SQQ1zvuTxJ2qCYaDCYDJg607eFcw6ACaTGHzaQ5jc+atb7VJ6V3QiTnfqsjPPIDLv/w7BFHelC2tOzcLZRqHgvCoo+a1thLhyPlP/iPWp54eWs1XkA6xEC5hsqrS4YzaCUoDQqij36hylgq+GnG/O/9QmJ0QtYyOVrBo4a80RXW4g1+BqCNLpfTXyfqJQ8RIxzRvYYRxjowyp+2cVC2k0BdYWUu46bn0OUAat+NG4XHRBTf9e39PtLbTuS3qN24//IBUv56X2OIOTh1CEG5Swog8owcvnKct+GdYTC64AK9Vk2ojce0W7eGGsCKVzQOxJYozmxk/0rM1VFKnPTY7Fa9Nxr0E4VcvXSLTSASGqqEl8e7CqGDZXFiczhZCO4M75f6hSIyw537DohqtmI8Sz/umgeh5SRpyvNItIbveYHSFTa9DnJcj4FCLB7iybe8YObua8n8hQeVhiWmbfE1zWRrQ2/vXEgXBtQGlTX6K97xzoBrSmm3Ag7ZAzUisWuW1pBiEG90PEo/P38dPdG2MNztpu/ro7MIHqxdWncmVFZMizchedwKXJkHMVV+6cybhJOE9NJ1nAqMad2+xP6a35uGq1Yp/GRAghyV8fTxLHJgQX5MXR+azDkDD+aVpAFNr+QBbwzLSDPmXBSaxMkVbf7n29ukZK+kMAJtnuiY0KgALnVP9dPQYOsrH/x+2inUTGgbTWARJ1vZf3CIYtfCOwzLymjtsH1rzKQIo9jgsXAupBtErk9wIS+0D9CxbGE7IVRXZdlAdChaagJ5Dy+27VItMvhwSFvW8aZI8qnnKGb9P5wGRMBGRjBhDe8k1CHxuhZnDuDGiD8WW3OtZ2nRMYi++7+zvQ8LYf28wkwIRh/aJ7S1ZNOGLLVJdP+Bjgg1NV7LavZxXmUPhvq+VKemuAb4Mmsv/Yh8DtY+aNayGBBTdGB7AgRsBi2axhzG2ZuDUIf26MEsoWDud2QUiRF16QeSN3xOVEtEqSwGVmyVcXyv6pxLItIx7HbzY03vX2Nwnp5y4d4WP7RVnooE3MRogQdt4AjSel1JMEsjwQkoDuJ4HmYxuV726zDP6GQ8C2bV4YPthknGoivgH7MxJOrhAv++k4g2gMXgFg6RDV1vpdKZlyPjHH9HPReMhSymcm+S6gGfx0E+P96dk4Dg9x0E4bnkJsykk4FPbG5FvbBpIRwOhNnK/IqJgtNjcQOoQ4qROYduCWAGn+pRCF676GKiDN0SRQY7Y8MouA0OO0j4MKNlUool
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(8096899003)(7053199007)(38070700021);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZtTkB6hoKhXKS604uU3+hi72N8P50/gpwghTeKnWfk1IhKwn7RvfdDyWu7xg7p1pFiKJzmq96b+C9EcaydfGiJFFVo2wupX2h7P0cDbUDxgtpFJqO/FKgVj6qzS6gNk6YpzgwFkOwQH9UI/fzLBgjAJUPV0Ob0OIfXWmBV4JBn/7U1dFtOfMmh8TRR9Wx7KM/gc5H5iraJxXi/7pSfMGkMKJDAybiP34NEuHzEaq9uf1u2yywcp0YXfPqxrhXflts8jooVSc/rCIpQWAqfYX1YO7VRhDYAAJWnse0AbNWqdzZndJ56Xu1OdZByJZpXYGuyCCKO0+g1nbK+fHvamyDfQF94zcIddvZ0vRkhuQkfaFJBoGXNdK5mnO6F0Hrdb9SqWF5uEd13d9BL+hywfmMoPX4QQR6OuFlPWYoy1t6qHS+xnEUq0k5zam8WZv4WR/4jnQHR+Z4kFJPGwH9XXN+d/h4zhIjOLJmuRsnoJX3WAMpWpg+t6tlWuuMvbKWv7jiKaJBf3M396DXzqKDh1bZCiT9bx/hWvzSPiaaRk5G4Mkh+wPymyN1oSkyshOfckxvyGw1puErimYPLR7ix7DG+ZuqUCi6I8bUMrHrCRmoTIXsI7Yls2V0MXy0r5LGtpPCQvvzG+6IwAK0kHwuksgnqJ0rgj8XbKHCl1NLJ4zdWYEkPDnizqWw+W0uhp6dNb0rvreI5brzwGgrTL/dISOuIzOfDeFW+L/UUztrseExDboruMoIzfW5nMce7qaUM0PKjI8Cq04SWoCCdtymxq0wJdkKTnXno/S49J/5swCk/Pg7N6XVMjdjzMwK6VzMGmPT9fZbC56C6JUPziZ9h6KHhP7Bac9y3KutrZiUHrd5MpQwyOOtGi3lRXpkZ7pAeluJ0b8PWCtLiUoRsRWzkXsIzW/HxFl9B1Q3A/6+PBWUpgX9Y/ek1UXvGu1kOUFF47rThBFF2Cfw+y4/t//Gz+H6x0KETm6UZRbB03nfPlREBBll60bYsYS+KcdME/5ToDjhFxxugEVcb98H5+z/M/ghY02o4cTNuKGozsmxBR116hHCzYgK/4UVBMoRQ1X42xo+ecD1RcioRKGLYy7DZovcQd6mthvIbmNyyQNx89DIPtFVKndcGbMfV8yz0W1M31dzPVJvCwTCS+KyAYrEFknwV10j+N07FuyZjaJhP/U6iKFELcwKIKAhBRqhVaL1AVdmpE5bUkd1EqknSYHEWsMe9MsIxURj7xthPBuT2Fj9cHh0DhyR7MV/HjpepTeEfHUSlceAFxU/oZURqVqqpXJ2zkVOpgA96SEe2MYSjaoNBIeChlsYxDoAwMoGmoi1CkXxYM+u0lpwjS2H6Q8hA4GLAs0QhdOz67GeDs/oBv8Qia4Nh3vPlXdKSSBzZWomsPW08JSrL72l08AeJz1w+eNdFOsM9Ih2fCviJw3IthHfzW9+cSkfBG0S8UApXRbk1Sb8AfBYfpyBu/hmWaamEWAyYGHoiTyHk4bmRJ8K/9LB1OBM0n7SauWf5Rl/5f1w7gvVPQwRo0RzV51vTizdU6yCxJN9/AitNdRXU+oo/xf/HGyaOq9xtX36Vm0ZtvPoeLV+P+/glGG59P/ptvbrynKajk4vJ/875+woBH/l89Plj0=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678A85ACD8002245C3F999289F3AGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8cd7a9e1-7165-4ce9-061a-08de1137b38a
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Oct 2025 06:53:26.5776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uSCQTfC6VKUhCZvAzMT0PNGhCbPQv2HBKHrrfK8sWRDN6qgbR8kJuSi7XVIjG7cEqcfuPzDtYaCMzBko6Oyx4PZGP8AcdGvYqT7/7BYEe0g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR07MB7728
Message-ID-Hash: B2OZHVSFMNXDEHLA5MY5MX4J4KXMKXPE
X-Message-ID-Hash: B2OZHVSFMNXDEHLA5MY5MX4J4KXMKXPE
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MlEYsDOjapsy8Tz5LhLbcZpffi0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

In cryptography, adherence to standards is not just procedural, it’s often essential for maintaining security. When implementations treat compliance as a smorgasbord of optional requirements, it becomes extremely difficult to analyze their security in larger systems. When I see an implementations referring to AES-GCM or ML-KEM, I expect full compliance with all NIST requirements associated with those algorithms.

As I said, the example I encountered in telecom was an implementation supporting TLS_RSA_WITH_AES_128_CBC_SHA just because it is MTI in RFC 5246. Unclear how much it was used.

>It's because of the "DHE bad" meme from a few years ago which resulted in people turning off all the DHE suites and so what was left standing was RSA.

IETF has still not published draft-ietf-tls-deprecate-obsolete-kex as an RFC, and anyone genuinely interested in staying current should have added support for ECDHE before or when RFC 7525 was published back in 2015. I agree that people doing crypto profiling by reading Twitter is problematic.

Cheers,
John

On 2025-10-22, 05:11, "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote:
John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> writes:

>There are many TLS 1.2 implementations supporting
>TLS_RSA_WITH_AES_128_CBC_SHA (Static RSA key exchange, AES-CBC in MtE
>composition, and SHA-1) just because it is MTI in RFC 5246.

Every time I've encountered RSA suites still used today (and it's not
uncommon, e.g. in wholesale banking) it has nothing to do with RFC 5246 which
the people using the suites barely know exists, let alone any MTI stuff buried
in some appendix at the end which may as well be invisible.  It's because of
the "DHE bad" meme from a few years ago which resulted in people turning off
all the DHE suites and so what was left standing was RSA.

So the lesson from this isn't "don't do MTI", it's "don't issue a blanket ban
on an entire cipher family just because someone found one or two buggy
implementations of it somewhere".

Peter.

v2.35.0 | Report a Bug | By Email | System Status