[TLS] Re: PQ Cipher Suite I-Ds: adopt or not?

Bas Westerbaan <bas@cloudflare.com> Wed, 15 January 2025 12:35 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41440C1DC814 for <tls@ietfa.amsl.com>; Wed, 15 Jan 2025 04:35:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2SnmsbA4Y3Q for <tls@ietfa.amsl.com>; Wed, 15 Jan 2025 04:35:43 -0800 (PST)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A492CC1DC810 for <tls@ietf.org>; Wed, 15 Jan 2025 04:35:43 -0800 (PST)
Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-e3983426f80so10241082276.1 for <tls@ietf.org>; Wed, 15 Jan 2025 04:35:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1736944542; x=1737549342; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=S4VLMBeRyuZVG1T4WtnejTalgWXDj9QSnxswR2RbEk0=; b=Xe2fBc8/6vgPYhX4NWvL0OZelEHDXD5CLutjD/XMk39dtF8w7uRZWNN82uJOL9hEx7 YjTXkmHoab2QhsbMYhKwTQ3KU3rtbpxca5XmOU/UmkCErllMEXKU79l7QsLPuuqmWZkb bKPEb0tPlxyAQlVF3ZpP3CuZ0BODs/OGowPxWwb8xSfDcZsV7d1r5yFTxMsjuaiQoT8i O7/yVymK0ONkvxP7ADFMGgeDA7CqBkF8SnIqWTdaY0KE27INA5OPxCf4areg8qxDIye4 GyVpl4fJx0dLhJpLRf5mcS7zlAs+Y/BnNb/ekLPei5csau3t8CnyeaKIzRzujs/PapOZ eGKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736944542; x=1737549342; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=S4VLMBeRyuZVG1T4WtnejTalgWXDj9QSnxswR2RbEk0=; b=o1SEcCCcY5nxmg4dTPs1AEbIds9zvjc3VwuNVphYKGYGOdPGGKKQAW6UGd9ybjwR5U 3jzev2RAP6e/l+PnM4MyiWxT/kZBVwo13BgTKbQW07iYBpS2dBfLNyfbb5HGhdBPaYgk 5GUbOD6oEplHXKNNiJMrCfJHLBRB93v23NZxVLXzD481X9lLL0nBpM3H+r0awr2FPYvd HNezJTkmXgHHPv0YYRFg9w24ggfNNusizM0Y7KqioVacSBryehmaO45zu/E1I5MaN4O9 v5Xdu+2zBVM+Zx6yoM7YOBNRcJjZaUhz6h9hfqKiODMC7M0kLrv6o1Bhr2Ku6dNLB39W icQA==
X-Gm-Message-State: AOJu0Yw+qUvEmOm1nb2+DwA02sMUq+Bm42DyOfGLQrPPMpvbKqmfByPQ l5i8hKufCmj1SX6m78CsFXelPaxTAeKsyxGHQtTmNKUa+1rraibWlccwEG/41OzMBh2Wei02zyT cFgemMk44lnis4u3mdF/QDXgvVdy/iQmqBOGqVNsls6B0Us+0Cu/49CWO
X-Gm-Gg: ASbGncvCiA8i1pwBZy3h6621l9LMERQY0wnbEUGCeKcDz0HlIo0a7fx8+PIpOS51wVX 0FQUN12Jr1JoXqsv4iEZPuU8uOk45iADqw/azqeCQwSzVeotkHPvxYQ==
X-Google-Smtp-Source: AGHT+IFIu4+pNOVxJSXjRqBEEPo2ymucgj3WFNYi4ZDDX1remrlFhJUnl+G4vnZT9d4GfmFLhWpq+zDANEM9hiEIuAg=
X-Received: by 2002:a05:690c:3144:b0:6f6:d149:d64a with SMTP id 00721157ae682-6f6d149d903mr4709557b3.27.1736944542569; Wed, 15 Jan 2025 04:35:42 -0800 (PST)
MIME-Version: 1.0
References: <10A06A24-8126-47B9-B187-55F4288DBBF2@sn3rd.com>
In-Reply-To: <10A06A24-8126-47B9-B187-55F4288DBBF2@sn3rd.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Wed, 15 Jan 2025 13:35:30 +0100
X-Gm-Features: AbW1kvYUmjv-1jDiC2ShQsjbOKG8FEjykk2udW9dV4mfM8sp4m7gi4sybLmvGhA
Message-ID: <CAMjbhoU8XQqFaZc0gqUr0pc07QvNLWA27M8gUX09KpRwJ0VXug@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="000000000000748443062bbdeab6"
Message-ID-Hash: 33JY752FEQ5R5BODUQ7QLHH67NNHIOZ4
X-Message-ID-Hash: 33JY752FEQ5R5BODUQ7QLHH67NNHIOZ4
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: PQ Cipher Suite I-Ds: adopt or not?
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NDfu3wsqKrCplmSZyUyuMf1vkwY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Do the chairs have an update to share on this thread?

I'm asking explicitly as your recent message [1] could be interpreted as
one.

Best,

 Bas

[1] https://mailarchive.ietf.org/arch/msg/tls/yufDcbR8yXQUuAtldXLWTax5z8c/



On Mon, Dec 16, 2024 at 11:01 PM Sean Turner <sean@sn3rd.com> wrote:

> Note that there are three parts to this email; the “ask” is at the end.
>
> Requests:
>
> Ciphersuite discussions in this WG often turn nasty, so we would like to
> remind everyone to keep it civil while we explain our thinking WRT recent
> requests for WG adoptions of some PQ-related I-Ds.
>
> Also, the chairs are trying to gather information here, not actually do
> the calls. If we decide to do them we will do them in the new year.
>
> Background:
>
> Currently, the TLS WG has adopted one I-D related to PQ:
> Hybrid key exchange in TLS 1.3;
>   see https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
> This I-D provides a construction for hybrid key exchange in the TLS 1.3.
> The I-D has completed WG last call and is about to progress to IETF LC.
>
> There are a number of Individual I-Ds that specify PQ cipher suite for TLS
> currently being developed that specify either “pure” PQ or composite/hybrid:
>
> ML-KEM Post-Quantum Key Agreement for TLS 1.3;
>   see
> https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/
> PQ hybrid ECDHE-MLKEM Key Agreement for TLSv1.3,
>   see https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/
> Use of Composite ML-DSA in TLS 1.3;
>   see https://datatracker.ietf.org/doc/draft-reddy-tls-composite-mldsa/
> Use of SLH-DSA in TLS 1.3;
>   see https://datatracker.ietf.org/doc/draft-reddy-tls-slhdsa/
>
> The IANA requests for code points in the I-Ds (now) all have the same
> setting for the “Recommended” column; namely, they request that the
> Recommended column be set to “N”. As a reminder (from RFC 8447bis), “N”:
>
>       Indicates that the item has not been evaluated by the IETF and
>       that the IETF has made no statement about the suitability of the
>       associated mechanism.  This does not necessarily mean that the
>       mechanism is flawed, only that no consensus exists.  The IETF
>       might have consensus to leave  items marked as "N" on the basis
>       of it having limited applicability or usage constraints.
>
> With an “N”, the authors are free to request code points from IANA without
> working group adoption. Currently, five code points have been assigned; 3
> for ML-KEM and 2 for ECDHE-MLKEM.
>
> While there have been calls to run WG adoption calls for these I-Ds, the
> WG chairs have purposely NOT done so. The WG consensus, as we understand
> it, is that because the IANA rules permit registrations in the
> Specification Required with an I-D that there has been no need to burden
> the WG; there is, obviously, still some burden because the I-Ds are
> discussed on-list (and yes there have been some complaints about the volume
> of messages about these cipher suites).
>
> There are a couple of other reasons:
>
> * The ADs are formulating a plan for cipher suites; see
> https://datatracker.ietf.org/doc/draft-pwouters-crypto-current-practices/.
>
> * There are a lot of different opinions and that likely leads to a lack of
> consensus. Based on discussions at and since Brisbane, we do not think
> there will be consensus to mark these ciphersuites as "Y" at this point,
> however the working group can take action to do so in the future.
>
> * There have been a few calls to change the MTI (Mandatory to Implement)
> algorithms in TLS, but in July 2024 at IETF 120 the WG consensus was that
> draft-ietf-tls-rfc8446bis would not be modified to add an additional
> ciphersuite because the update was for clarifications.
>
> * Adopting these or some subset of these I-Ds, will inevitably result in
> others requesting code points too. The WG has historically not been good
> about progressing cipher suite related I-Ds, either the discussion rapidly
> turns unproductive or interest wanes during the final stages in the
> publication process. So while there is great interest (based on the number
> of messages to the list) about these I-Ds, we are unsure how to avoid the
> inevitable complaints that would follow failure to adopt or not adopt a
> specific I-D based on different requirements of different individuals.We
> know some of you are thinking that that’s “tough”, but if we do not need to
> have this fight, see the previous paragraph, we do not see the harm in
> avoiding these complaints.
>
> The chairs would also like to note that currently the WG consensus is to
> NOT port PQ cipher suites back to (D)TLS 1.2.
>
> Ask:
>
> Is the WG consensus to run four separate adoption calls for the individual
> I-Ds in question?
>
> The Chairs,
> Deirdre, Joe, and Sean
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>