IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Eric Rescorla <ekr@rtfm.com> Mon, 24 November 2025 15:36 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E56B88F8F378 for <tls@mail2.ietf.org>; Mon, 24 Nov 2025 07:36:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 45fk2J5x3AeZ for <tls@mail2.ietf.org>; Mon, 24 Nov 2025 07:36:34 -0800 (PST)
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B8A758F8F350 for <tls@ietf.org>; Mon, 24 Nov 2025 07:36:34 -0800 (PST)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-78a6a7654a4so42955887b3.0 for <tls@ietf.org>; Mon, 24 Nov 2025 07:36:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1763998594; x=1764603394; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=P7t7K2kEaUnROhXs+nNwMLvrNuUN0Fh3GztJC5xNyT0=; b=iJ4GlbwOpGmgkyMoLZ+VLSI0Iryiqq6hofFR4Jd6Br1rOMIPgpP/VzmjvCCUG0jd6z ljrS02498anJLukcm09lHP/BFFFlrl9z/LnSvKIF5+oeq424B1GcVqSC7yZfCr0+AvhP SN099fr3+sM36NCXiYngEsGksLb2yxqoR9+C0ZvxxuRLl/ix8DhB5gm6W+tij/LOvTB/ jjdOYiMfIH6/h0M5+onBJNDlhX7C5zkwfNXyXpmb1SQgnkwWZ/ORBj8t6TMemyLu6Cj/ wpHofr4qT9EFvxGeVfW68aDg3Tv6AOZh+4uKw5vYeqpCeZCqx0+VyzqHXZnt3nH9j8zQ 2uAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763998594; x=1764603394; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=P7t7K2kEaUnROhXs+nNwMLvrNuUN0Fh3GztJC5xNyT0=; b=c7BWs666hxcQU9Q+JuvKF+6MiET7XKvVcQ8MpibykHwP7DEFHxtCgs/x0TH2VFgkHu w7lnjBsHMiayB5BcKhdD8SryTopHdtTvaDOP7QJLXJluo2AJfA+fMdem4q10bnXnBecj TKUvtFlgsA4QuzSgFCl9hvH2ZOPEwBwgBzBdFZj/2tTRx2VJxpDv3or+yV8sRRWQ+I2y gC9BY11NB+ivQjTRyrjJCD4H6zE7Y7NoH9g6MsHg0JiUPYOhWhWAR0lPwP2X5WhY3U7+ a90fHHLDNJOzZ2ZgrTcRBwyQXK/5xQkULmtNNfh7AVmggkYJODyfWbcDKGs8QmUC/cOC SH6w==
X-Forwarded-Encrypted: i=1; AJvYcCUE931waPx/6oll/IFiuH0jPhMIW/kQ4W2JDN3/EbWpqNSPUOvkvsiche/L3X0oLg/P3kU=@ietf.org
X-Gm-Message-State: AOJu0Yw+2tl6OtaemevdI6931o/rorJ8z2bZXM3tCjes5Ybnslyh3cod o2D64Utpmezhkldzg+ZQxIx8p3TJI6tQUAP1Fs0qnMpIk3BzoMkGfauvaDFejr8mJ7BzZsIK5J0 xsXnccvwnYW+xdvHkHbDOjmTYsHV7LICLH48ieDSgvQ==
X-Gm-Gg: ASbGncslhqqvbw4xVpXLOqDCvDeQNunDI4Vh2nJaKPKL1B9lYwFyyTU8ymdHKI918xB 0FssnpMIMBv+cPrCMAgC9Ji5YALjONX9a2LGLyX1S3SjRFNbJSL9YfAvFLqR/JOX3W1TdW9njHC ffS5RXu5bV/Pwuad0sJVioYWZLPz9weNAbW9M3IM218o7ki4m3jMHB7OOuA3Csvng6vT0NXIQVi XpD2TpYtfam65qPonnjOm/9ZOw3lIn6MNdwfz8GVLMN+fNo5ymAh6MV6poVYWcscXJCHmHVVW+b vSU1fyg6hawsKmVJCg7JiV5WjEsLeYGVlCqcxwRnMnBq6rZq1BkyFQlRHINCJ+HsnBu0uwkaFlg kL9a52d6NiQ==
X-Google-Smtp-Source: AGHT+IFoXT+DVmgcofHeIXCdVwyNpGujy35tQkwG1lwGEkLWcmZeW933JUQnT70dXt6OtXlQ3wgj3PbevQ7lcfi+ea8=
X-Received: by 2002:a05:690c:3388:b0:78a:6e23:2542 with SMTP id 00721157ae682-78a8b5288a9mr88586657b3.35.1763998594112; Mon, 24 Nov 2025 07:36:34 -0800 (PST)
MIME-Version: 1.0
References: <176236867319.904123.10146982018394612684@dt-datatracker-5df8666cb-7l4w5> <87see331ox.fsf@josefsson.org>
In-Reply-To: <87see331ox.fsf@josefsson.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 24 Nov 2025 07:35:57 -0800
X-Gm-Features: AWmQ_bn5jkCYMjBLbtMdD_hu8uCt-S4gkwiaf4sEazGO-nIbEOOpokZNUhDHl2U
Message-ID: <CABcZeBMiXTGzNUZ54nEOe2K=MWTU2dxo-o0eoweKcf6av55Wrg@mail.gmail.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000962d65064458ed44"
Message-ID-Hash: ROK6HOZCXEH2Z6JQGT6JXFHGMVGIE2O3
X-Message-ID-Hash: ROK6HOZCXEH2Z6JQGT6JXFHGMVGIE2O3
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/O_nvyIFNW1v0pHjumOn2VLpYsDM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Nov 24, 2025 at 7:14 AM Simon Josefsson <simon=
40josefsson.org@dmarc.ietf.org> wrote:

> We are having trouble getting safe hybrid PQ solutions published.  Until
> we have a couple of widely deployed hybrid PQ KEMs published,
> implemented and deployed, I don't think we should fragment the already
> thin resources we have to reach that goal by spending further cycles on,
> and then publish a fragile solutions like this.  Please prioritize a
> non-NIST/MLKEM hybrid PQ KEM for TLS.  FrodoKEM?  Streamlined NTRU
> Prime?  We need more hybrid PQ options.
>

Why? The general deployed pattern in TLS is to have a small number of
dominant algorithms and we already have X25519+MLKEM widely deployed.
Given that any particular connection can only be protected with a single
algorithm, it's not clear to me how the world is improved by having multiple
algorithms with roughly the same performance properties.

I could see some argument for having some algorithm with significantly
different performance/security tradeoff (though as I understand it there are
some practical challenges to adding Classic McEliece), but that doesn't
seem to be what you're suggesting here.

More generally I am opposed to the IETF publishing any algorithm
specification
for TLS which has not been externally vetted. That could mean standardized
elsewhere or sign-off by CFRG, but the TLS WG should not just be picking
up algorithms without external review and adding them to TLS.

-Ekr

v2.37.1 | Report a Bug | By Email | System Status