[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

"Salz, Rich" <rsalz@akamai.com> Thu, 16 July 2026 14:15 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D8AE1117D78E0 for <tls@mail2.ietf.org>; Thu, 16 Jul 2026 07:15:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1784211339; bh=TG8VAIgcYFf6OvZ2ss6YaL9c4wTVcqTlLkvj1Fad8Bk=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=y91mE95Fnq0vDORRzuONa5xZMx73AtQE4DEzv7Hb/SLgKzJ1DRXAwMKz0d410AQDh aoJNLxrxVFWO0jo+GysmFbVZZP7nFr3+RIHsdJmR4znfLRQCjSZdpyVmXg/ermglOt BWTsEM4bxD0gUJMvjjsyqo0wk5ZIbLDtNbu7EysM=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5U2AH7MYQWXH for <tls@mail2.ietf.org>; Thu, 16 Jul 2026 07:15:37 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [67.231.157.127]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 14FF1117D78AB for <tls@ietf.org>; Thu, 16 Jul 2026 07:15:36 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.18.1.11/8.18.1.11) with ESMTP id 66GDLQXl184381; Thu, 16 Jul 2026 15:14:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=apr2026.eng; bh=TG8VAIgcYFf6OvZ2ss6YaL 9c4wTVcqTlLkvj1Fad8Bk=; b=PbeUHD1V01l/nLTPa7cZHop0xqe8sVXkpLqly0 c+WhWyxlVycBFFeC1GGedBiRE6iUjk4JqNPtckx+e3U0o1mqUVIqD8l+g+yZWUN2 Q25AI3TjMTIqB3PqbKSnDOObeGsZWyr+omlvKPhkXjag7o2/VXeiUeXejSRtviRn dn/kyI17ocEszDC0q8vpgG2ngu04A1Ybo5aItUC1HOhj2MdSbMxpJWs8yRy2d6Ck fAQ7jVgBSWUZj4qUUyYLd/RaBQVhZQMNkWJoZ9aqwie8JMbZGojbSlJpt49q4VOJ f3rCbtjtA7wB8291/08ApSNtRAUJ/l/c3pkaNf8p1+Ke6n7w==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by m0050102.ppops.net-00190b01. (PPS) with ESMTPS id 4feesg2u23-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 Jul 2026 15:14:33 +0100 (BST)
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.18.1.7/8.18.1.7) with ESMTP id 66GEC5WV016537; Thu, 16 Jul 2026 10:14:32 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.220]) by prod-mail-ppoint3.akamai.com (PPS) with ESMTPS id 4fbh5vm4uy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 Jul 2026 10:14:32 -0400 (EDT)
Received: from ustx2ex-exedge4.msg.corp.akamai.com (172.27.50.215) by ustx2ex-dag5mb3.msg.corp.akamai.com (172.27.50.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.43; Thu, 16 Jul 2026 07:14:32 -0700
Received: from ustx2ex-exedge4.msg.corp.akamai.com (172.27.50.215) by ustx2ex-exedge4.msg.corp.akamai.com (172.27.50.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37; Thu, 16 Jul 2026 07:14:32 -0700
Received: from CH4PR07CU001.outbound.protection.outlook.com (72.247.45.132) by ustx2ex-exedge4.msg.corp.akamai.com (172.27.50.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37 via Frontend Transport; Thu, 16 Jul 2026 07:14:31 -0700
Received: from MN2PR17MB4031.namprd17.prod.outlook.com (2603:10b6:208:200::22) by LV3PR17MB7217.namprd17.prod.outlook.com (2603:10b6:408:27b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.223.12; Thu, 16 Jul 2026 14:14:29 +0000
Received: from MN2PR17MB4031.namprd17.prod.outlook.com ([fe80::4b85:d514:5021:bba7]) by MN2PR17MB4031.namprd17.prod.outlook.com ([fe80::4b85:d514:5021:bba7%4]) with mapi id 15.21.0223.011; Thu, 16 Jul 2026 14:14:29 +0000
From: "Salz, Rich" <rsalz@akamai.com>
To: Nadim Kobeissi <nadim@symbolic.software>, Jacob Appelbaum <jacob@appelbaum.net>
Thread-Topic: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
Thread-Index: AQHdDmPrSGzX0tikD0GavO1cYXupY7ZjGEgAgAAKPACAAKzdAIAAJ0MAgAAK6oCAAAwWgIAABYIAgAClVwCAAA2FgIAAEfgAgAAIHACAAH46gIAC3KyAgABFIQCAABzPgIAAKcOAgAC3DwCAABA+AIAAMnaAgAAxC4CAABICAIAAdvgAgAEX3QCAABHoAIAAnAOAgAGlUQCAAhymgIAAOwuM
Date: Thu, 16 Jul 2026 14:14:29 +0000
Message-ID: <MN2PR17MB40318B05CDD3267E73EC2E82CDC72@MN2PR17MB4031.namprd17.prod.outlook.com>
References: <92e0e621-8efa-4e8d-a7ea-4183981616b9@streamsec.se> <0e91ce21-028a-438d-9ea8-a416d3d393ee@appelbaum.net> <78945c98-373b-4041-84fc-79689d4b67f1@streamsec.se> <70756c21-7ecc-4f83-89ee-db9a69331a0f@appelbaum.net> <655d7b49-e099-40a5-a04c-546a54d6ce57@streamsec.se> <6d3bb45c-4bf0-43b9-a9e8-7e4632eebe94@appelbaum.net> <CA+iU_qn0XUYY8MEgyEOZuNt=bsHoBd1kKOjyNuFAjVOYG8FoPw@mail.gmail.com> <AS4PR07MB8825C6262BD443833F31A2D089FB2@AS4PR07MB8825.eurprd07.prod.outlook.com> <9f8ca8d5-c6f8-4c17-bc0f-e383c8f8e0d2@amongbytes.com> <CAFN1edp0=Yy5fpfRaPDEQFNNJCFYc40BGKX+YQ60yGSm5YVOzw@mail.gmail.com> <alOtqkD-ReSBeRzE@chardros.imrryr.org> <5b489b67-bc71-459c-bef8-8758dec2b3b0@appelbaum.net> <10c57c2e-a522-d654-7b3b-88522aefaa18@nohats.ca> <8b4142ef-8136-45de-adb4-3c25da4df411@appelbaum.net> <3c98fb1d-f839-fa9a-7bbb-47d436a77241@nohats.ca> <e1690372-4167-4407-af52-98e462ea009d@appelbaum.net> <4F76363D-3E24-41E8-9D45-8434C5352664@symbolic.software>
In-Reply-To: <4F76363D-3E24-41E8-9D45-8434C5352664@symbolic.software>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR17MB4031:EE_|LV3PR17MB7217:EE_
x-ms-office365-filtering-correlation-id: c0af6ffb-2d15-4f55-7d34-08dee3448cf8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|10070799003|23010399003|4022899009|376014|1800799024|366016|3023799007|5023799004|4143699003|56012099006|18002099003|22082099003|10067099003|8096899003|38070700021;
x-microsoft-antispam-message-info: 31YuHsZQhUy3Yi19VWUFlJ0+D3SC8ABnnt6/T2MA4GwduAikjH5gYZDRRfLGFfEnqJq/Nx4yknvhiK7Wwgnh/6QkI8m3Dfv0iIjZfv7P3Shlor5zXoeH6DRrTNFiUyjdmKUKOScYfsZ5wNXLPD1xfuwSuYw32CRJ8TJ/JUZ0xBrHN/Bx36W4doAffvvO2q0LSLT0e5Nw9no7f+04aMYQx1B6660PY6E7be7HIcHmiRYkQJaycVbriSS4rWjJj0hLwj1W/1xEqfZLu+gZEip/rvEvx+I2ggmLgdNaF/sKlo++EVbMpvpNmhAOWyas+CBvnGbBQUczFN5hmd+S4HLjFmrnZOeF4ogfnNU/eHZIeyovoqOQordysBNbTt0MzB5AGgeaC5WSZfg+DbfrQdFyJUVoGOwI9m65B9nbuLZeo6iTenL/+O+t+JWayWBLGs14QW46dU8fiH/V7sxeFQt8/S5ohZDOcUt+XrMYRz7looKLW5xnHFIEetl4rXSPSV8mDo8l//AQWVKpsFghOL790NRKZBkJdapF+FwBj53XVBOMxbavDrBGvbOnSPXqeQnQxOZokfRLh2w0VnCeilYNG1GWOIFqxPSDwfLRi7qVfHY5QH6s7dvRRx/tp76AVpHLJiIe5eVQ2B7I8TNK19y7P8ABydebhkCZzlRygYYT8fA=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR17MB4031.namprd17.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(23010399003)(4022899009)(376014)(1800799024)(366016)(3023799007)(5023799004)(4143699003)(56012099006)(18002099003)(22082099003)(10067099003)(8096899003)(38070700021);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: BytIY8f8S4AuCPoS1/DS/XRWK9FfdC20ypxqOgs7erOHyAwjr7frYvHGdJyVvrCUT2PAen1nTX7D0k7OcHwQ2op0aoZ2V0vSgoPSh8tQ5E9mGnLPeMBaS8dWQ1pjCtlo0u9IVLZ6/rxFwOueILbnrHiqRQWG6ZskOpt0gjSK+kBP3jf2+mROQ4HJpW39MzTTvbXkJmMIdDcoWk5cy3NItQuu3LbCNgJ/EET/DpP59NXdaUupwgoTAeNNDXA9HmRBkTZprevb4Cx0hnbp68XrFJMtXkOnZo+qt5jYyw3gvnHtIb1v2zR+zyO3baCE8Vf4FZcYnH+ylKq5Rx5SNHCRrkV4xHhDJcMa8E42Un0W8TNNAsfxHsloK7Jgl0f7zWMkJxznvg73Er+NyVeb8SqPpkW93sN/0wEFh3iuZbN7pYNz6V4i8OPQeIPJsPAvH/0LLDc8rWQsVGCHgDh+k9uOvB4nQ42UVer/58qRSw7yzA9NF0VgzwaKo4woRQyGt2UE3XhjSFkhFBauQhh2nzEvwtY/RywFIjeNZhrcfIHHh95ZSF3ZnYtXNLoGX28TqvwSRA0im6Dsemmx/e94Y+nRSgUn6557s44oGbonEDyMkz9PGoPo/bx8QhpzI1X6+zBor2ka4DXczkHRW+svQxlpNrlpP8Q06n/fXIr3v8hRm4VavXjXzs2o1Cv0H0U1GbQxFK4G448PYF9zkUdVplhsnWpn4PIuQgQPN0Vjc/aoc61cr+QlwJryEOqMbq3U1raSSdI6SuQFxDcyzVkQhf2SlkqJ4k5A/32VL7J/hO/a7uASMPW3ioXbU1Tl0z/C9Chd7dXKVPIudzIA64fGrRLXwQK/pJEXC4JNJMIMI95ulKEqi8MdOP/tuTYdWbPXWbjyUNFSUKGI1f9ZcR5oipvVKs4LV3LtMd1aVjqNsYh0Sc/eu6kneBjtd6A6j2SYy3oVNdJ7fe6ZvYFjBn5TAEvL5ykDJPWbJSARyUR8/4oT+C1BmlqFhSLoFoXlU1AtFmMrxOpqPG90DfUVDH6LaMRDPopIZUY7sJRtJZboRgTIXTCpDXKdaAhwmyEeAr7PQVmEmUprhimpbUWFIa6W9WyAw7SlLsTeIOshtQ4kDuEEaJAD8aujiRQ3hMb4Sr/MRBBQ5ac4MdPtAfOoJkjWfAHlunewFsnoGmRodZ0eZVGGDrCRFZy8Q0uVr7AbyIqVkFiFFN6D+wY1VOoa3/KGTPJ0SLuhJkK5Be7xUOwfqysHxpsdp1igTW4kGglOZAe7PPEUb2bOOIULij/cQ41P4iCIY9wEZRr3Oa7BQ8OFOV5gCCNkT39qGw8EzexFIYIC2RQbqTjqwZWnzaUtLq/N2sQ90wkYzpKrplJ/YQ220PzgVSkbrLJfJhaD9YcECc3lM4bCJEy8ipILwfX18yrVefpSbvwbFONe6bSBICcb+nd7sLPkDavf4U73pPLntLpU10ipSnuyBfTQVK0K7aSUHSmKJI1lFwx2hQ90qh6y1bs72Aomkw3pch8M/rK7NraUyIEaVevZC85LUeUgkGvxpLFf35S5b/W1Bjw3qHcrpwQL/Y5d2KNhu0+b0A7QpOCvPpG3ovG51oOjunCnF0hij0De5Lgzb5+oDO1CzitPDYmfgiSmhnm7gksoG5LTGuaqls/wYHNwVQyTzbjIDJFoK24E3LE3z1E8HI95yXO9dFyj9VJm/ySLfTBMGb7zwp/hGcZdZ+qslt+nXjuwLI+qvV8dh90tAjxdlYACQ8KiAsA5GLQA93jDNiDYtcJrngmQLcOXxwfQv+mL
x-ms-exchange-antispam-messagedata-1: +z1hbIgOstnrRw==
arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=sbLLcvCnjB69mD1mr6xdV0o478MUVhAktHkdT6fy6Bd94v75fNtzNTbsTMZ1tNHSfENIBD9COff/bq7fGY6VoHSYcJaAu/qmo1aJoykgDIZRo+up0HwCulDDrMQPXiQrj/cxZEdpHNMAkBG6XofGfgVjvI/+uGzrIlN95XdLfo4CMMamn0Okog0grspsXDTXOjM9olGk/uGbUfOKKi/5alm8xkBkI4qLIBa6r3GiFlTbL8L/NVLMYAs5NF1pKlJldUChckC40QpGDs/0OnQQ/7cgj982ilBERG3wC/wDwcYE5oMB49uW6+O8WBj49fDnnoVf0X+K1RdL7mNBs8t6lg==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kjsOVDKK+HrT1XsN0pbSMxH8qAUKvMaVP1DJ70yZ6iQ=; b=vxyjaBu1zODhpHt/g5PjxP+TomDUBv5HhAkFUAY4DgKE/ysSPEtFaApjbi9epvX6byJJwdHtXLQ6oNFxjOflcAKa8cM7b3pqVPhLodQfE/gWiOEnRLBTvyi+r+34XOgrAQny9kyKHl38fCd/U5GOEADufRx03LKVu9cqOKgzSXbnNgE8Mfb9ZkM3iEBQX2nl/PO+3+l+SS+wXreD1/USdXTloabyL/WuIJrj8KclNfHe/NIwAzXyh1W8A/iL/3gYjCudX5x/qvliIEr5pxeJkE84rCMrgoHenjXQ0jH4aR5x/xTKU6RC59JTLi08zE+EtDSA4TVt4Q/BXrVfZCQhFg==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=akamai.com; dmarc=pass action=none header.from=akamai.com; dkim=pass header.d=akamai.com; arc=none
x-exchange-routingpolicychecked: HrQqQ6EtNtdMEcP6ypSWtY3SFXigvE/Fp4t6+YNvpmReGmM7zRS3eSY/E24utqpggoUorXOVZ8gCuYrCn4hd+9VEGc0dtg8N95NzXw83JLZDwlqDZHjz/WAshUpWpVDcNdCD1LP6lgDGL0joUdoVSY63lj7rFTjAMC7VELZTX46hZUs6WfPHz26M/ghB+XccYxnnJsIGUl9loF1tZ23T0NRWN3a8c0gwvMV3vfLWMXUWRwV1gUzYksFCBu9KmrYbkxGt8J10YXdBH08f5LWS2Dm7k9rtX4eY8q5HPJmbvKhtbsR6GikGBkCeuDvb1Qyt1dnUyHSjRnC/9A244TqXtw==
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: MN2PR17MB4031.namprd17.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: c0af6ffb-2d15-4f55-7d34-08dee3448cf8
x-ms-exchange-crosstenant-originalarrivaltime: 16 Jul 2026 14:14:29.5350 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 514876bd-5965-4b40-b0c8-e336cf72c743
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: TNO4NyjJn04jstdSvexxUURNHRGgJs4qfjQVlge6yH2WwQGw+Coz6CEVbxlLoq5ZtzP1B9aGaPLNImKQMvyB3Q==
x-ms-exchange-transport-crosstenantheadersstamped: LV3PR17MB7217
Content-Type: multipart/alternative; boundary="_000_MN2PR17MB40318B05CDD3267E73EC2E82CDC72MN2PR17MB4031namp_"
MIME-Version: 1.0
X-OriginatorOrg: akamai.com
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.134,FMLib:17.12.100.49 definitions=2026-07-16_05,2026-07-15_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 phishscore=0 spamscore=0 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2606160000 definitions=main-2607160146
X-Proofpoint-Spam-Info: AW1haW4tMjYwNzE2MDE0NiBTYWx0ZWRfX0zgYfasN617V 6kkDOyDJ0fH7n07ZRtgKc+tEbarEjeQ533F17iqjPhBrZL5nncFcNXluCwyWDFlH1wpfv7mBkl1 M5yWkkQz5Hdd2JZTziZORU4AG4QNNtU=
X-Proofpoint-GUID: b43C3a_FONK1GeliZ_1j3SdKko_uaHGD
X-Proofpoint-ORIG-GUID: b43C3a_FONK1GeliZ_1j3SdKko_uaHGD
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNzE2MDE0NiBTYWx0ZWRfXxQ6aLgagXWrP Fu9KC5XVUxIS1+jOCMuzwdQYXfoL7RhL27HYei0aJgXl8KEutUIdhvtnfI22sohHsJ9MRbMPWfu 7xnjFVIaX1jYgvV/+vQsSa3G9uabrm9lGG2y0mQN+kadfmp2e2NTr6PzTGD6xf21L5EYuFcPKY6 lr/hOZNYiWhbncp/2ebjjFA/FoBxUoYr2a6RO5wI5WDVH9pDK/KZVC21mjjYeG4PUG9ah3gKzzh T/SBQU5ycLr5wxBSU5zCzCTVUcaC4pcHG4Qt5iLI507qQUj6BTtes0DgETL2nne506Dxx+g7wgv pbcjnLjSgeBXHlUm9z8TmqdkRt696yOtJ+qw0IgFM/uRDDR1HQsh9rY81DdxRw7yk47vYveb6qo iERWEahxMUwfQfGDTNRa8OFZO2YSZ40C5MVINjtfxnyuKtUkAgyWTxVW+lnZYj2h0bBXwe4ewsf rHdtTCIMElJtebR0iVg==
X-Authority-Analysis: v=2.4 cv=Roz16imK c=1 sm=1 tr=0 ts=6a58e749 cx=c_pps a=x6EWYSa6xQJ7sIVSrxzgOQ==:117 a=x6EWYSa6xQJ7sIVSrxzgOQ==:17 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=RAioF0-LDSMA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Ifg-1AOnLHOf1gn6spyb:22 a=Pq72nHwyFlvh3xMh7ENp:22 a=j01giFgIAAAA:8 a=48vgC7mUAAAA:8 a=Bsxrw-KQAAAA:8 a=8qZttgZpbSquuh7kUrQA:9 a=QEXdDO2ut3YA:10 a=CqcEW96LMbsuON37N1cA:9 a=MjDn9gkU8W7NzJ52:21 a=_W_S_7VecoQA:10 a=h-vI8bnE59tfOYXDDhfv:22 a=U7dEvglbW9ZT5cpCyptc:22
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.134,FMLib:17.12.100.49 definitions=2026-07-16_05,2026-07-15_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 spamscore=0 bulkscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 suspectscore=0 impostorscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2606160001 definitions=main-2607160146
Message-ID-Hash: 5KAY2VHJJ2PIGYKJXRVTM6NMPLYZTSPL
X-Message-ID-Hash: 5KAY2VHJJ2PIGYKJXRVTM6NMPLYZTSPL
X-MailFrom: rsalz@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/P_bmoP5f12hwjwQ4_Ggi0lUQD9E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On 7/16/26, 9:57 AM, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org> wrote:

  *
think it would be better as a separate RFC.  Perhaps collaborate with Don Eastlake


  *
Changing the current drafts is a mistake.

I received a couple of emails that made me realize I was over-zealous in trimming down.  It was in response to Nadim’s message below.

The draft is about using ML-KEM, not about using something based on Kyber. If you want to write about RNG, Don is looking at drafting a successor to 4086 so contact him. If you want to write a draft about how to use Kyber, that’s a separate document.

On 7/16/26, 6:41 AM, "Nadim Kobeissi" <nadim@symbolic.software> wrote:
Fair enough. Here is a start on a minimal list I think the text needs to
cover:

- cite the third-round Kyber submission;
- cite FIPS 203 Appendix C, where NIST documents removing `m <- H(m)`;
- state the FIPS 203 approved-RBG requirement;
- state that `m` is recovered by the decapsulating peer;
- recommend restoring Kyber's hashing of `m` as defense in depth against
 hidden-structure RBG failures;
- cite Dual_EC_DRBG as the public standardized example.
- quote the relevant part(s) of FIPS 203 C.1

I can turn that into concrete PR text. Before doing that, I would like
to understand whether the WG is open to text at this level of
specificity, or whether the only text people are willing to consider is
a generic RNG sentence. If the generic sentence is the only thing on
offer, I would request someone else draft it and I am happy to give
feedback.

This is incredibly unreasonable to the point of being disruptive. You are basically demanding that the IETF undermine the entire point of NIST standardization, on top of all your baseless insinuations about personal motivations of those who disagree with you and your unreasonable threat modeling when thinking about the entire question of `m` in ML-KEM and sources of randomness.

At what point does this become pure concern trolling? I regret even making the effort to catch up on these discussions.

Nadim Kobeissi
Symbolic Software • https://symbolic.software

On 15 Jul 2026, at 5:25 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote:

Hi Paul,

On 7/14/26 03:17, Paul Wouters wrote:
The draft does not define crypto, it normatively references some crypto. It cannot both normatively reference it and modify it to make its own.

I do not think that follows and while it does not define the code point,
it does define how the cryptography is used in TLS including Security
Considerations. A TLS draft can normatively reference FIPS
203 and still explain the relevant assumptions and tradeoffs in Security
Considerations.

FIPS 203 Appendix C itself documents that Kyber originally hashed `m`
and that NIST removed that step because ML-KEM requires approved
randomness generation. The TLS draft should say that plainly.

Namely, quote the entirety of C.1:
```
C.1 Differences Between CRYSTALS-Kyber and FIPS 203 Initial Pub-
lic Draft
• In the third-round specification [4], the shared secret key was
treated as a variable-length
value whose length depended on how it would be used in the relevant
application. In this
specification, the length of the shared secret key is fixed to 256 bits.
It can be used directly
in applications as a symmetric key, or symmetric keys can be derived
from it, as specified
in Section 3.3.
• The ML-KEM.Encaps and ML-KEM.Decaps algorithms in this specification
use a different
variant of the Fujisaki-Okamoto transform (see [24, 25]) than the third-
round specifica-
tion [4]. Specifically, ML-KEM.Encaps no longer includes a hash of the
ciphertext in the
derivation of the shared secret, and ML-KEM.Decaps has been adjusted to
match this
change.
• In the third-round specification [4], the initial randomness 𝑚 in the
ML-KEM.Encaps algo-
rithm was first hashed before being used. Specifically, between lines 1
and 2 in Algorithm
20, there was an additional step that performed the operation 𝑚 ← 𝐻(𝑚).
The purpose
of this step was to safeguard against the use of flawed randomness
generation processes.
As this standard requires the use of NIST-approved randomness
generation, this step is
unnecessary and is not performed in ML-KEM.
• This specification includes explicit input checking steps that were
not part of the third-round
specification [4]. For example, ML-KEM.Encaps requires that the byte
array containing the
encapsulation key correctly decodes to an array of integers modulo 𝑞
without any modular
reductions.
```

Alternatively highlight this part of C.1 from FIPS 203:
```
• In the third-round specification [4], the initial randomness 𝑚 in the
ML-KEM.Encaps algorithm was first hashed before being used.
Specifically, between lines 1 and 2 in Algorithm 20, there was an
additional step that performed the operation 𝑚 ← 𝐻(𝑚).
The purpose of this step was to safeguard against the use of flawed
randomness generation processes.
As this standard requires the use of NIST-approved randomness
generation, this step is unnecessary and is not performed in ML-KEM.
```

Then I would suggest describing the total set of requirements from
FIPS203 or giving advice that `𝑚 ← 𝐻(𝑚)` should be used if the NIST-
approved randomness generation requirement is not met. I would also
probably want to say that this change by NIST is not robust against a
failure of their DRBG, nor is it robust against providing an oracle, the
m-oracle, I suppose which may be queries over TLS and/or used to sample
the DRBG outputs directly.

The IETF cannot modify things that are an external normative reference. MLKEM is what NIST defined, not what you are trying to build now.

I am not asking the draft to pretend that NIST defined something else. I
am asking the draft to document the consequence of what NIST defined:
without the approved-RBG assumption, the rationale for removing Kyber's
hash over `m` no longer holds.

If the draft does not restore `m <- H(m)`, then it should at least state
the FIPS 203 approved-RBG requirement and the fact that `m` is recovered
by the decapsulating peer.

This matters in practice. Many implementations will use `os.urandom`,
`/dev/urandom`, `/dev/random`, `/dev/hwrng`, `getentropy()`,
`getrandom()`, or another platform or library interface. Those may be
excellent choices in a well-designed system, but they are not
automatically the same thing as a NIST-approved RBG satisfying the FIPS
203 condition used to justify removing the hash.

One way to make the dependency clear is to think of the real requirement
as something closer to:

- ML-KEM-512-Hash_DRBG
- ML-KEM-512-HMAC_DRBG
- ML-KEM-512-CTR_DRBG
- ML-KEM-768-Hash_DRBG
- ML-KEM-768-HMAC_DRBG
- ML-KEM-768-CTR_DRBG
- ML-KEM-1024-Hash_DRBG
- ML-KEM-1024-HMAC_DRBG
- ML-KEM-1024-CTR_DRBG

Listing that is a concrete suggestion for the text but I do not feel
strongly about where it goes in the text.

These are shorthand examples names and I am not suggesting new algorithm
names. The point is that FIPS 203 relies on an approved RBG of
appropriate strength. If an implementation omits that part, the reason
NIST gave for removing Kyber's hash over `m` no longer applies.

This answer circles the answer by not distinguishing between the RNG issue and any other issues. You still did not answer the question.

My answer is: not as-is.

I am open to text that is applied consistently to both ML-KEM drafts.
But a generic sentence about "use a good RNG" does not address the
specific FIPS 203 requirement, nor the protocol consequence that `m` is
recovered by the decapsulating peer.

This does answer it better, it seems your answer is "no".

No. My answer is not "no no matter what." My answer is "not as-is"
because your suggestion is not even a full suggestion where I could just
say yes.

Which is the same issue as the "m concern".

Related, not identical. The approved-RBG dependency is the assumption
and a requirement. The `m` concern is the protocol consequence when that
assumption is not met, or when it is hidden from implementers.

For one, this is not different between pure and hybrid, yet you have no issue with the hybrid Security Considerations?

I do have an issue with the hybrid draft on this point. The same
Appendix C tradeoff and the same `m` issue apply there too. Hybrid helps
against some failures, but it does not automatically help if the same
recoverable RBG lineage later feeds the classical ephemeral scalar. The
removal of the hash leads to some fun issues and not only with
Dual_EC_DRBG but also.

Second, it seems as people said, TLS already provides a huge amount of options and parameters to use as a covert channel.

Agreed. That is why broader covert-channel work is also needed. But that
does not justify leaving this specific ML-KEM issue unexplained in these
drafts. It is a bit annoying to go back and forth between each layer
where a different layer is used as a reason to ignore the issues in the
layer under discussion.

What would a TLS implementer need to know when it uses a cryptographic library to support a new cipher, whether hybrid or pure?

They need to know at least:

1. FIPS 203 requires ML-KEM randomness from a NIST-approved RBG.
2. `m` is recovered by the decapsulating peer.
3. Kyber originally hashed `m` to protect against flawed randomness.
4. Dual_EC_DRBG is the public standardized example of a
  hidden-structure RBG failure.
5. Hybrid does not automatically help if the same recovered RBG lineage
  later feeds the classical ephemeral scalar.
6. This change was an intentional choice by NIST and the IETF does not
agree with this change as it cannot mandiate the use of a specific DRBG.

First, it seems most of the items you just listed are the same item, and basically you want it to say "don't use pure, use hybrid instead",

That is not my position. The `m` issue applies to ML-KEM in both the
standalone and hybrid drafts. My concern is that the drafts do not
clearly state the FIPS 203 randomness requirement, the Appendix C
tradeoff, or the peer-recoverability of `m`.

Second, if you want this document to proceed with some newly added text, it is up to you to propose such text to the WG.

Fair enough. Here is a start on a minimal list I think the text needs to
cover:

- cite the third-round Kyber submission;
- cite FIPS 203 Appendix C, where NIST documents removing `m <- H(m)`;
- state the FIPS 203 approved-RBG requirement;
- state that `m` is recovered by the decapsulating peer;
- recommend restoring Kyber's hashing of `m` as defense in depth against
 hidden-structure RBG failures;
- cite Dual_EC_DRBG as the public standardized example.
- quote the relevant part(s) of FIPS 203 C.1

I can turn that into concrete PR text. Before doing that, I would like
to understand whether the WG is open to text at this level of
specificity, or whether the only text people are willing to consider is
a generic RNG sentence. If the generic sentence is the only thing on
offer, I would request someone else draft it and I am happy to give
feedback.

So "pure" is what the IETF is using now for consistency.

Point of clarification: did you mean ML-KEM or ML-KEM-WITH-A-DRBG when
you said pure in that context?

The current text is the consensus proposal of two years of talk within the TLS WG.

The WGLC for draft-ietf-tls-mlkem-08 has ended, but I have not seen a
declaration of consensus. We also do not yet have agreed text that
addresses the FIPS 203 randomness requirement or Appendix C tradeoff.

I am not aware of any technical concerns.

Then let us test that with concrete text. The concern is not merely a
different risk preference. It is that NIST's rationale for removing
Kyber's hash depends on an approved-RBG requirement that the TLS draft
does not clearly carry forward.

So to me that makes it clear that in practise, your answer will remain "no".

No. If the drafts clearly document the FIPS 203 approved-RBG assumption,
the peer-recoverability of `m`, and the reason Kyber hashed `m`, I am
open to changing my view. If the text is only "use a good RNG", then no,
that is not enough.

As I explained above, you providing concrete text additions/ modifications will help determine consensus of your suggestions

I take that point. I can provide concrete text. My concern is that the
Last Call has already closed, so I am asking how the chairs intend to
handle new text if there is support for it.

Rough consensus is achieved when all issues are addressed, but not necessarily accommodated.

Agreed. My position is that the issue has not yet been addressed. It has
mostly been reframed as a generic RNG problem, which misses the specific
Appendix C tradeoff and the `m` oracle.

The one thing that is clear to me is that what you are asking for is basically changing the normative reference.

I reject that framing. Security Considerations routinely explain
assumptions, risks, and implementation guidance around normative
references. That is what I am asking for here.

The normative reference itself discusses Kyber and ML-KEM together in
Appendix C. Quoting and explaining that text is not changing the
normative reference. It is making the reference intelligible to TLS
implementers.

Adding a generic statement about RNG is the only compromise possible.

I do not agree. A meaningful compromise would state the actual FIPS 203
approved-RBG requirement, state that `m` is recovered by the
decapsulating peer, and explain that Kyber originally hashed `m` to
protect against flawed randomness.

If that is not good enough for you, your only option is to voice that you are against publication -

That is not my only option. I am currently against publication as-is,
but I am also trying to find text that could resolve the issue.

and to be consistent, I would expect you to be against publication of both the pure and hybrid mlkem drafts, as they are identical in that part, using the same normative reference of NIST.

I am against omitting the relevant FIPS 203 Appendix C details in both
drafts. I am against omitting advice to implementers who are not running
a FIPS-validated stack. I am against omitting the fact that `m` is
available to the decapsulating peer. And I am against omitting the
historical example of Dual_EC_DRBG when discussing hidden-structure RBG
failures.

A suggestion of generic RNG sentence that is not a concrete suggestion
is not enough, no. Text that states the FIPS 203 approved-RBG
requirement, the peer-recoverability of `m`, and the reason Kyber hashed
`m` would be meaningful.

Kind regards,
Jacob Appelbaum

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org