IETF Logo Mail Archive

[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 18 April 2025 22:39 UTC

Return-Path: <prvs=8203995776=uri@ll.mit.edu>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CD9BE1E52E7F for <tls@mail2.ietf.org>; Fri, 18 Apr 2025 15:39:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W1M6k6v5gKg2 for <tls@mail2.ietf.org>; Fri, 18 Apr 2025 15:39:55 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) by mail2.ietf.org (Postfix) with ESMTP id 580421E52E72 for <tls@ietf.org>; Fri, 18 Apr 2025 15:39:55 -0700 (PDT)
Received: from LLEX2019-01.mitll.ad.local (llex2019-01.mitll.ad.local [172.25.4.97] (may be forged)) by MX3.LL.MIT.EDU (8.18.1.2/8.18.1.2) with ESMTPS id 53IMbKZD235759 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 18 Apr 2025 18:37:20 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=DbZV6pXcwMF56dEe3WBboayO4PfgjD8NniANWzklWT3kc9T4Un/mbvWdm4J1fVMou0pBKdFgkbOKNPTHwvpBhG6FOsG6dCBZUcTRUZ8laZi9lBpVyyt4rRLavKwEiV4Z003jQDIN08ELduedfXIy92DtJfqof3GbxBJYGutSQJ3Px44MFUCEp43J06OjxD9z5N8K7ixYK546EUSwgI8o8au+mFYcj20SwBMnzwje18mVkxtoYQp3PAxpWniviDCAxa1gR/VIJl8l7tilDuyDM3WNVPkNjFEJQPA3iUeDiFAL+QWd7GLuedBr0MVNgREgOCcjAxEmvKoduOrZ0E0UNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NaAdwiStLKpXcL+5pIPqAMO2gn+dEfgrhbrI84HJSDE=; b=xBpuOOvV7r5GSxUZXIXKCgellT2uTX7UnwQQDimS3jq8IlPfmqTeYPc0RewwPikRZyShkvxX7FAS9ECWP3dn8a30blAXoEao8anfOYv1xIB4CmPVjLk4bODmW7dOibFh6rCPYptmcvqK+nDNkXKc/7B+WwZIk84FlHwJ5ynhOLOYPf+Z40vKJKSMphmlTZbqTjU47jYgSvAnYpmLBsOzGJYdxbpZxru3zWN3xhwjKAIQwpQbdqk7qpIviCqafJuqBFVya90HxTZQOJJAellr5XAtvvs8Si3R/nrKMVxBullC7XOabLrUnEocAvkvlbmrHOKHlOEogxTPFu1Ebhnj2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
Thread-Index: AQHbr8D1fIeuFLcEp0qEAoezR6xNsLOoWY+AgAAIKoCAAY45a4AACrwAgAAKn04=
Date: Fri, 18 Apr 2025 22:39:28 +0000
Message-ID: <BN0P110MB141976741B675968FC56DB5B90BFA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
References: <5dd1e81a-c37a-ceff-b89e-b4335fca07b6@nohats.ca> <56e646395f67e27ff11a092d5989c1c85eba2563.camel@aisec.fraunhofer.de> <CAOp4FwSJpvn6f=3utd4yBE=ftkXQ4h38FT3VQ1XOhrubqgu0ng@mail.gmail.com> <BN0P110MB1419E8DB9B38B33F41A6234590BCA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM> <IA1PR17MB64212A6A5AC34467EB83F2A5CDBC2@IA1PR17MB6421.namprd17.prod.outlook.com> <BN0P110MB141930A9829053013376FF7C90BCA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM> <aAF0FxjVgb7EGdGR@akamai.com> <BN0P110MB1419804C8272218B2B229D0F90BFA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM> <CACsn0cn5XuWRF=qVB45oDdYv27CtiRwJ7C4ZD1_B=NPK6Nzt1A@mail.gmail.com>
In-Reply-To: <CACsn0cn5XuWRF=qVB45oDdYv27CtiRwJ7C4ZD1_B=NPK6Nzt1A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|PH1P110MB1474:EE_
x-ms-office365-filtering-correlation-id: e2a79962-d86b-4b2b-b7b0-08dd7ec9e10b
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|38070700018|4053099003|8096899003;
x-microsoft-antispam-message-info: OEGFNhVjNciPIXYTAjOEP6rLmspXAmIFEyiLR3eSIcIXSyFcepcH47Gk1JXZWYIUJY/yMybQnTX5pxqMfUSNj07i6bgr18ZcZ+yPrj4EoI4QcVDX/UHc5/BJ+Jhpx9peWmcU77RRCKSjsqV4etOI2zknDzfT9fULV2MNaf4lFJTaRLPHyI4TPAVVkLhSxg6RGcDhebfWe1bn9hjrBGKTbTSePfjp9SNTfF352QFDSfcWdptEaObPFAJShzef7QCSdplJBznOPpXuKpp/olfIs+YZvQl1LcZ46IZm+tpb0w7ioQyuEj25QMaBtxnJoXoXl253K4doUATXL/OnIu5joYaeJMtQjAkrbmw4gp9/DsEzvn/Y7fnfrhywaVsC2DO9JpocRCJh9VMoiaH0iOA8iKQsKl2TvT16LtfF9LKgCqllKTfmR/fxMSQtax1eAhJAd5QDwwUgLq6b0WK5qeRpOLb/iIeUSIcjzX9BomQF/F2XdfD/sDzXzsHaT1BJCmDSOVGDWQceQcCWIz2mDh7QwyH/3TBM8PwP77SXTVteFablqg9F6jdriT6EQ85Txw58D1VYV4gkQQryik5AroPHNK4Y++kDnV6+Zl95E5scr5CwjqBUpgJB4v/wrspDx9025MkrMo//yk/p+RJNtyD9FpTrCX+58b16/1WmMyuCft2aJZyp8Gu66und5Dv0R9hbFCBls1j8LdEEMnsK7eGHsEUnWyr1KjIHnvDS3uDk7EcSP5m11BhB/ghGGojyn51JGA8VzsZ4PKRbv5TFC78fvk5s3tL61D7AVBju8krfJZrJZdr0W+11kC2aHxF3PcNiJkWTA1c2hIyhXt5VXqCVoMYuQte82u2C8UwwWuocCnmKUub/7VPW62f1yEhkn8qblgLcInVjjQ81998PLcuydjoODtS/BcbzSeadKiBw9W8QT9EtHmmSt3gVw0vH2QOefIVRhzXqDIPlcg720O+Hq/ofOqhVgN0MLF4BEwRgWwiI1pbhXps8oNVIX44G6ZosLkWKQXnWLHisAKEyTy0O6H7e/UsoTzoNSBn2OwCFMlvJ3F21GdPrpdqA6jrdcsncJMpGPoi0Jr4Ou3fS1o9oEq9zMYulOEgcxqCK1/rk1BVC3i5sdK4VUX1QOz3N8SocNOmdfjCu0JuVqVZpP1DV0gR59GRfj6zPxtMJ9Yoaz1E/gr2Q6UzBHVLadlXanZZhn9qlzpUWt+X6w/iupCD3r9O7AGrnrmsKpgw20nXlQ5mjT+s0vWBOy2c8OM2BulpXkuz4hOQJHwtS1p6cXkoZfmAenj/Dme2sl4lJwBifEMULufG8FFYZD06Gaiuld4W8xyeFLfmh7bnU+FCyzIMhbibGktZ7b3n4rhEfPoS1ix81vhC4Nm/NdlGRcFqIQVXx1KEcU/6bzYQMVcwnfwUblbW9MrOfUZ8SK/oLSAFrZUE=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(38070700018)(4053099003)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qvLQtZTvZ9SuSR+Yg10q/ict1bDlCHSDl3/96E4ENKqzo5MbArvL3dckJMXM42ewNivmJg0inR94ri1hmBl8M7tvJm7cRoTJ8gyz7i/mtHKJSUrA4b/09gqpAVbevMtz2UTw4p8vPHMnWyeFaSbfuryB9MQQmbMoVE12bEJZRN/D+1Q+wkuPhzp9wvNDjZkJousBiMReDy45d9uY9Ht4++/Vt3JRy8MnrBNXUWzHCjju5GV0Jlfpl9Kz9NYn0MgrBeJGEjVqOYxeXnuwM51CfHPUyNQJRSGd6qb6Axq94YcNBk9KXZf3wB9e0DCCJOMhUCAuOQAHPTw1IXqq2LZ+ZCA8mtEnTsHc8e3jZeWptcvWmWhnZDpWUqXCdaVnnvl7H8QWoeGtGsiJCNoakX1MOSj8SNTawATQxbP+bOm5b8HIRZ4vw4QiHi2PYsMN6W0uOySb165jdVjKpUBUl8boqVaXlk1LVY6/pTeD5RkMd+Tm4N5uFqtb2Fu4/6npdJA8418ktJI/Zh6NiKEjrtdJPoT5i8cYf/cwuclQcft8S4oW5ehyXxFSqlkuHUTc8OMKw+lIjbuOrvCtiLKGYoAywC2PU4RwZ7VkUGXRTiccmM4ca80nn5QKkVbtt1r/VsXScu1gdlTgzEmguFhMGCHORXuC+7V0DKtYvhXymmh2hmsLlUd1uUZsAhktwVr2WtzAMLpdGqhehed5AhncB/Yd+lxEEITQ+n1EvdwIbe5ycdg3IyyumGJ3MlWToAkpgbgag+wx4VmUPNZmbvYNIvPAMhSGc8Nw/f1mWZ63Hy3q3vc9nFdslbpavNFxhw/J07AMHKb8oi6Bn3dWdM0vF6UwJ7hw3VYrIik937hWCGo4JD8x/plkNSJLxzzRQHg7aL9RCPJd00J7uJCtDR4rG9H3naq0tCkxmReb5lAijIPzahigIBhtpNknV5ZLF7jcYsRjHeWY/gDpmAd3EHdWn/aMDEBUvXNhrZRiGfIvLwA8J4c2Osbk+gHX4U800dj6UGIc3wjsD3KFxJKDOygZ1aT1SAc4LbIYlx4RrQPW4cGn+Qk1G519EE0fSW6VUJsilVzzkP6JN6fk/r2UWxbT9gpflVvOjEGuv+ahYKgQyu6F8AbPcGzeBca3XWq+KBqiheIh2SVRe+OFzWbF8vJxLMRamGJaGMgyWyF5oloGsg5825hVGLMldqHBxe52LlziqMzYwLdbO1yiVhzTnNpaKabpZLsdQyz6nb9p8zYWBNi3Lor/YH+5o7kGuhtwix60SHL5LZIBnb06Se9g+An6ONm9Gjb6a9vmzUaquqnRp2Xw4AM8Tw9z7uenhtqs3QeNYKD5nD+VcfkS0Ka5UoavlsP3C5zy0ykJjpYbZ1SE4q/AURqDtO0XbnKLstIJkJCvH2ARPPP0SZoaQpdoiIrIyIFZ4bMFQ2SP2wRReVZLkSNDaHA3/3DMKx6nulVOnaKi0ktpMgHcVVPCYtkSIDgyjwDLvZn9U9hFaJGk1v1a9hO3aUDeQPQsln813SPUbh/Hjq0C
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_416FB0D4-B348-5A46-A086-21DFA83BCA19_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: e2a79962-d86b-4b2b-b7b0-08dd7ec9e10b
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2025 22:39:28.5363 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH1P110MB1474
X-Proofpoint-GUID: _ydS6LugNlm0PxHL2zl4o0yiiYwsVzAE
X-Proofpoint-ORIG-GUID: _ydS6LugNlm0PxHL2zl4o0yiiYwsVzAE
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-18_09,2025-04-17_01,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 spamscore=0 suspectscore=0 malwarescore=0 adultscore=0 bulkscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2502280000 definitions=main-2504180172
Message-ID-Hash: 2CTCXD4GM4UCK6CUCBC4QSYLVM2OS5VG
X-Message-ID-Hash: 2CTCXD4GM4UCK6CUCBC4QSYLVM2OS5VG
X-MailFrom: prvs=8203995776=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OP4fHIfxv8yH8ZG9OuAHFu36t5Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> An interesting point here. For the current approach – indeed, ephemeral KEX does not need PKI.
>
> However, consider AuthKEM proposal, and KEMTLS – while ephemeral keys certainly won’t depend on PKI, the static ones will.

But you can't have the AuthKEM keys going all the way up the PKI, but
need a signing key. 

I’m not sure I understand: certainly, you can have a CA-signed ML-KEM key, which is what we’re doing. (The fact that our CA will only do ML-DSA, is beside the point.) 

And at that point you might pick the right
signature for the job at each level: big public key ok for root keys
if it makes signatures smol. Intermediates have to be fairly balanced,
but if you can elide, tradeoff similar. And signatures on ends need
pretty quick verification. 

Please see above. If I misunderstood, please clarify. 

Thanks

v2.30.2 | Report a Bug | By Email | System Status