[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2026-02-27)

Nadim Kobeissi <nadim@symbolic.software> Sat, 21 February 2026 17:50 UTC

Return-Path: <nadim@symbolic.software>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 700A5BB50E82 for <tls@mail2.ietf.org>; Sat, 21 Feb 2026 09:50:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=symbolic.software header.b="AR50Vvjj"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="KphneE4o"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WLMrzArJwyyn for <tls@mail2.ietf.org>; Sat, 21 Feb 2026 09:50:37 -0800 (PST)
Received: from fhigh-a5-smtp.messagingengine.com (fhigh-a5-smtp.messagingengine.com [103.168.172.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C54ABBB50E76 for <tls@ietf.org>; Sat, 21 Feb 2026 09:50:37 -0800 (PST)
Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfhigh.phl.internal (Postfix) with ESMTP id A00371400109; Sat, 21 Feb 2026 12:50:37 -0500 (EST)
Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-03.internal (MEProxy); Sat, 21 Feb 2026 12:50:37 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= symbolic.software; h=cc:cc:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1771696237; x=1771782637; bh=wKHGtysyPHbIrBWgR2/ZnvHP8eDSB2zqDDBwQoGujwI=; b= AR50VvjjuWwggvi2Y+nBU1AuAhgZT/cERFv1OVZKVpRnWkjbpAcd0pbNGC9sT39N +yqoektTUp9WwYaKENskcvCfsH7I8pa/dG770ODikMGuCngng1+52yJph4xj5nAu wQwimAgZcaD4D4Qd41EnU1G3lZ8FniJiFiVcU1CrrupU8ecdBLWmsj8cFeqcSycc +0xnCC0M65Gi19OFmqGxwnbSydhcpz5JGf1Di7TCwCT92GgBHz2TMhM+S2oUuN/r yheQx6X4B5wHPyyHFlVtl/6Bu7vT7bkBILDXT8Smrcr+8fL/fqvHf1cVOJiJQv4Z RyaGk/MFrHDEbR1/NwQl+Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1771696237; x=1771782637; bh=wKHGtysyPHbIrBWgR2/ZnvHP8eDSB2zqDDB wQoGujwI=; b=KphneE4ou05AYnga4QJr9uU8jhVq7pEQq7Xr8SkkBqHnlcXnFZz X9KAVDhbR5GtfpzlEG6e/jfxiz8Jam1ZlaIxdp5RlfewjHkwumYdP4hW+4Lab7HW 6cL0LEutb3NIbopO01X1+gwhtJZocDeEvC9Lgo74fQIpDCffjcHO3NtlOrCN92q8 CeC6QRMpUsZZ6Do7Ld6P3IbA3AEJRylp5krq4FUMlx3+8Mq5dTKwF5Ak08iZSsNG YuW1HucXoq/Tm+Hgmt5sTQ2YICJ13OkNrPlNJC2v559gKyC9STHeT15FDX56dZXq H4+K309CH+0Z3pddHv0V9f3871+deswk7Zg==
X-ME-Sender: <xms:bfCZaahuVCMjw5CJCrvJbrfXCMMdUdPjc97_1gCFTSnygQUJzqnOEA> <xme:bfCZaeQVvM1RiyiRWEKsTeh10RPY_IYWzweygQ9NdeDz3xnKAN1-FmPh10S91UhjF NLS283SXMj4HLNnVNzJlph1Tfis2TSHIglBaImDWhBSckL2_4Pq_xU>
X-ME-Received: <xmr:bfCZabitumNFhfJiPv9N-hLoMqyKBP0p7eppwNTuK69I7Tj6N3wifgJiz1gifHhGdIff-32Q2w81GbHUDFMO7skYdKrUe1U-qEkBDB5ldQHrZGDkK0y0W_GmtQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvfedvtddvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefhkfgtggfuffgjvefvfhfosegrtdhmre hhtdejnecuhfhrohhmpefprgguihhmucfmohgsvghishhsihcuoehnrgguihhmsehshihm sgholhhitgdrshhofhhtfigrrhgvqeenucggtffrrghtthgvrhhnpeegiefgvedttedvte fggfdtfeduveefhffgieevffevtedtkeefhfdukedthefgffenucffohhmrghinhepshih mhgsohhlihgtrdhsohhfthifrghrvgdpihgvthhfrdhorhhgpdhgihhthhhusgdrtghomh enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehnrggu ihhmsehshihmsgholhhitgdrshhofhhtfigrrhgvpdhnsggprhgtphhtthhopeefpdhmoh guvgepshhmthhpohhuthdprhgtphhtthhopeguuhhruhhmtghruhhsthhulhhumhesghhm rghilhdrtghomhdprhgtphhtthhopehprghulhepgedtnhhohhgrthhsrdgtrgesughmrg hrtgdrihgvthhfrdhorhhgpdhrtghpthhtohepthhlshesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:bfCZae7CkE7vrMK2u35zzA58Ob02i1YSO8dWXDe4oBXSD3bsDp2Q0w> <xmx:bfCZaYBUvqQSiYfgGsaP1EPjGaEBYnD_5jIZsNW-NxYIYKFxOHcRHg> <xmx:bfCZaVYEyHgCNUNRwpI4kgorn6SAmFd2tu3fviZ2nWDiXflsjH7kaw> <xmx:bfCZaTbdhReQ4BkE_whkbwyV96MIjiZTQNXRLOsmvWJjhWWRZC7dwA> <xmx:bfCZaUQpIG2xAnWgoJE4gy0CLEmzH-yfwrBWp1iRcBOtmH-tVK9dNAcg>
Feedback-ID: i6d3949ed:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 21 Feb 2026 12:50:36 -0500 (EST)
From: Nadim Kobeissi <nadim@symbolic.software>
Message-Id: <47E49761-0836-44CD-BB87-01A16FF1E2FE@symbolic.software>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5E666FF8-CF73-44A0-9E6B-A7D615578868"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.21\))
Date: Sat, 21 Feb 2026 18:50:35 +0100
In-Reply-To: <CAFR824xy-Kv8PKUnWenjKhUg+YippeK7Xp2Nrr3gbAGpJDf0VQ@mail.gmail.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>
References: <20260218194044.1135896.qmail@cr.yp.to> <7C9C99AA-42B0-4BC7-8F41-39F35754F1C4@vigilsec.com> <MN2PR17MB40310F0A2891942D76C43E60CD6BA@MN2PR17MB4031.namprd17.prod.outlook.com> <2caab265-00ba-4078-b6d0-3a178dabaa61@tu-dresden.de> <CAEEbLAbkV4YxN7cgggckpEp24MLtRZpzs6M4KemBatpzCCcs0A@mail.gmail.com> <MEAPR01MB3654415F735DE96CEE239C78EE68A@MEAPR01MB3654.ausprd01.prod.outlook.com> <aZfbhrFDBp7a0xHL@chardros.imrryr.org> <EB48AB24-A1A2-47C8-9C2C-47C93B9320E7@thomwiggers.nl> <93af0689-4bd3-4f6b-afaf-41869d27fa4d@app.fastmail.com> <CAMtubr3QcHbiP5guhBoiFbFh8tKSD6WNHBJkxxb_AM4Wy5i0=g@mail.gmail.com> <9b71e709-69a3-f3d9-4cbd-d4d521556c55@nohats.ca> <971672FF-31BE-47C4-A478-8FEB60DE3F7A@symbolic.software> <66970fb7-0645-4fff-8b9e-48f6bad3e007@symbolic.software> <CAFR824xy-Kv8PKUnWenjKhUg+YippeK7Xp2Nrr3gbAGpJDf0VQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3864.400.21)
Message-ID-Hash: BW46IIYDRK7YRHWM4XHRVTSCA5FS4QME
X-Message-ID-Hash: BW46IIYDRK7YRHWM4XHRVTSCA5FS4QME
X-MailFrom: nadim@symbolic.software
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Wouters <paul=40nohats.ca@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2026-02-27)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PstYTWcHJhImC9c1cWGGGW5SY6Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Deirdre,

You are correct. The quote I attributed to the Motivation section is not
the text in -07. I apologize for the error; I was looking at multiple draft versions.

The actual Motivation text names three use cases: regulatory frameworks
requiring standalone post-quantum key establishment, smaller key sizes
or less computation, and simplicity. My underlying concern applies to
each of these: these claims do not in my view constitute
motivation for removing compositional security. A hybrid construction is
already simpler than many TLS 1.3 configurations in production, and the
performance delta between an ML-KEM-only and ECDHE+ML-KEM handshake does
not approach the threshold that would justify discarding a well-analyzed
security property.

The remaining points in my objection stand.

Nadim Kobeissi
Symbolic Software • https://symbolic.software

> On 21 Feb 2026, at 5:54 PM, Deirdre Connolly <durumcrustulum@gmail.com> wrote:
> 
> > The Motivation section of -07 states that pure ML-KEM key establishment
> is "necessary for migrating beyond hybrids and for users that want or
> need post-quantum security without hybrids."
> 
> This is not the text in -07 nor the text on #main on GitHub including feedback from this call. This is the current text of the Motivation section: 
> 
> https://www.ietf.org/archive/id/draft-ietf-tls-mlkem-07.html#section-1.1
> 
> "FIPS 203 (ML-KEM) [FIPS203] is a FIPS standard for post-quantum [RFC9794] key establishment via a lattice-based key encapsulation mechanism (KEM). This document defines key establishment options for TLS 1.3 that use solely post-quantum algorithms, without a hybrid construction that also includes a traditional cryptographic algorithm. Use cases include regulatory frameworks that require standalone post-quantum key establishment, targeting smaller key sizes or less computation, and simplicity."
> 
> On Sat, Feb 21, 2026, 11:23 AM Nadim Kobeissi <nadim@symbolic.software> wrote:
>> Hi everyone,
>> 
>> Following the exchanges since my initial objection and after some 
>> additional appraisal of the situation, I am writing to set out a fuller 
>> objection to the publication of draft-ietf-tls-mlkem-07. I ask the 
>> chairs to treat this as a blocking objection and to reflect it 
>> accurately in any consensus call summary.
>> 
>> I want to state my position plainly. I do not believe this document 
>> should be published. A pure post-quantum key establishment option for 
>> TLS 1.3 discards compositional security under component compromise -- a 
>> property deliberately designed into TLS 1.3 that has served the deployed 
>> Internet well -- and the document identifies no concrete benefit gained 
>> in exchange. The hybrid constructions already adopted by this working 
>> group provide post-quantum security while retaining that compositional 
>> guarantee. This document proposes to remove that guarantee, and I have 
>> yet to see a justification for doing so that withstands scrutiny.
>> 
>> My background in formal verification of the TLS 1.3 key schedule -- 
>> including co-authoring verified models that contributed directly to TLS 
>> 1.3's standardization (Bhargavan, Blanchet, Kobeissi, IEEE S&P 2017, DOI 
>> 10.1109/SP.2017.26) -- informs the specific concerns I set out below.
>> 
>> ---
>> 
>> 1. THE DOCUMENT'S MOTIVATION IS CIRCULAR
>> 
>> The Motivation section of -07 states that pure ML-KEM key establishment 
>> is "necessary for migrating beyond hybrids and for users that want or 
>> need post-quantum security without hybrids."
>> 
>> This is circular: it asserts that pure PQ key establishment is needed by 
>> those who want pure PQ key establishment. The section does not identify 
>> any deployment scenario in which a hybrid construction is technically 
>> infeasible, any security property gained by removing the classical 
>> component, or any basis for concluding that the time for "migrating 
>> beyond hybrids" has arrived.
>> 
>> The compositional security argument for hybrid constructions is 
>> well-established: a hybrid key establishment scheme is secure if either 
>> component is secure. ML-KEM is relatively young as a standardized 
>> primitive; its mathematical hardness assumptions are less studied than 
>> those underlying established elliptic curve constructions. The world's 
>> Internet has been running TLS 1.3 with hybrid constructions for years, 
>> providing post-quantum security via ML-KEM while retaining higher 
>> assurance against classical attacks via ECC. Removing the classical 
>> component of this working arrangement discards a concrete security 
>> guarantee for no identified gain.
>> 
>> One would expect that disrupting a functioning, well-analyzed status quo 
>> would require exceptional motivation. The document does not provide one, 
>> and none has been offered in discussion despite my repeated requests. I 
>> cannot support publication of a standard that removes a security 
>> property without justification.
>> 
>> ---
>> 
>> 2. THE FATT PROCESS HAS NOT BEEN COMPLETED
>> 
>> The FATT charter (https://github.com/tlswg/tls-fatt) states:
>> 
>>    "A proposal that modifies the TLS key schedule or the authentication 
>> process or any other part of the cryptographic protocol that has been 
>> formally modeled and analyzed in the past would likely result in asking 
>> the FATT."
>> 
>> This document introduces pure ML-KEM as a NamedGroup, substituting the 
>> ML-KEM shared_secret into the TLS 1.3 key schedule in place of the 
>> (EC)DHE shared secret (Section 4.3, Figure 1). That substitution 
>> directly affects a component of the TLS 1.3 key schedule that has been 
>> formally modeled and analyzed, including in:
>> 
>>    - Bhargavan, Blanchet, Kobeissi, "Verified Models and Reference 
>> Implementations for the TLS 1.3 Standard Candidate," IEEE S&P 2017, DOI 
>> 10.1109/SP.2017.26.
>> 
>>    - Dowling, Fischlin, Gunther, Stebila, "A Cryptographic Analysis of 
>> the TLS 1.3 Handshake Protocol," Journal of Cryptology, 2021, DOI 
>> 10.1007/s00145-021-09384-1 (cited in the draft as [DOWLING]).
>> 
>> The prior analyses modeled the (EC)DHE input as a freshly generated 
>> ephemeral value. My own 2017 work explicitly modeled TLS 1.3 client key 
>> shares as ephemeral. As Muhammad Usama Sardar noted on this list on 
>> February 20, and as John Mattsson confirmed, this draft introduces a 
>> materially different assumption: Section 5.3 of -07 explicitly permits 
>> ML-KEM key share reuse.
>> 
>>  From direct knowledge of the 2017 proof, I can confirm that its 
>> security arguments do not straightforwardly extend to a static key share 
>> case. The proof relies on the ephemerality of client key shares at a 
>> structural level. Substituting a potentially reused ML-KEM encapsulation 
>> key for a fresh ephemeral (EC)DHE value changes the adversarial model 
>> the proof operates under.
>> 
>> Under the FATT charter, the chairs were expected to determine whether 
>> FATT review was warranted at adoption time. I have been unable to find a 
>> public record that FATT was engaged for this document: there is no FATT 
>> point person named in the FATT repository, and no FATT assessment 
>> appears in the shepherd write-up (which shows no shepherd assigned).
>> 
>> I would appreciate it if the chairs could clarify on the record whether 
>> FATT triage was initiated and, if so, what the outcome was. This is a 
>> straightforward process question, and answering it would help the 
>> working group understand whether this document has received the formal 
>> analysis review that our own processes call for.
>> 
>> ---
>> 
>> 3. THE KEY REUSE LANGUAGE CONTAINS ERRORS AND CONFLICTS WITH NIST SP 800-227
>> 
>> Section 5.3 of -07 states:
>> 
>>    "While it is recommended that implementations avoid reuse of ML-KEM 
>> keypairs to ensure forward secrecy, implementations that do reuse MUST 
>> ensure that the number of reuses abides by bounds in [FIPS203] or 
>> subsequent security analyses of ML-KEM."
>> 
>> This language has two concrete problems.
>> 
>> First, FIPS 203 does not define a reuse bound. FIPS 203 specifies the 
>> ML-KEM algorithm; for usage guidance, it explicitly directs implementers 
>> to SP 800-227. SP 800-227 is normatively cited in -07 as 
>> [NIST-SP-800-227]. Section 5.3's invocation of "bounds in [FIPS203]" 
>> attributes guidance to a document that does not contain it. This is a 
>> factual error in normative text, verifiable by anyone who reads the 
>> cited document.
>> 
>> Second, SP 800-227 (September 2025) states:
>> 
>>    "If an application uses an ephemeral key pair, the key pair shall be 
>> used for only one execution of key-establishment via a KEM and shall be 
>> destroyed as soon as possible after its use."
>> 
>> SP 800-227 distinguishes sharply between ephemeral keys, which are 
>> single-use and must be destroyed, and static keys, which are reusable 
>> but subject to additional authentication and key management requirements 
>> including proof of possession. The draft simultaneously recommends 
>> against reuse and permits it, with a MUST qualifier pointing to a bound 
>> that does not exist in the cited document. The result is a normative 
>> contradiction that implementers cannot resolve by reading the documents 
>> cited.
>> 
>> The security consequences of key reuse in deployed TLS go beyond the 
>> IND-CCA property of ML-KEM in isolation. IND-CCA is a primitive-level 
>> property; it does not guarantee forward secrecy, resistance to traffic 
>> analysis based on linkability of reused encapsulation keys, or 
>> compliance with SP 800-227's additional requirements for static-key 
>> deployments. The draft addresses none of these protocol-level concerns.
>> 
>> John Mattsson raised this point on February 12 and proposed removing all 
>> key reuse text as the condition for his support. The changes in -07 
>> addressed his concern only partially and did not correct the FIPS 203 
>> citation.
>> 
>> ---
>> 
>> 4. THE FRAMING OF THIS SECOND WGLC DOES NOT ACCURATELY REFLECT THE FIRST 
>> WGLC'S CONCLUSION
>> 
>> Paul Wouters's message of February 20, sent in his capacity as AD, 
>> describes the first WGLC as follows:
>> 
>>    "We already had a WGLC on this document [1] and the conclusion [2]
>>     was that it passed WGLC provided some clarifying text would be
>>     added that stated that for the general use case, hybrids were
>>     preferred."
>> 
>> This description does not match the conclusion it cites. The conclusion 
>> of the first WGLC, as recorded by Joseph Salowey on December 8, 2025 in 
>> the very message Wouters cites as [2], reads:
>> 
>>    "The working group last call for pure ML-KEM has concluded, thanks
>>     to those that participated in the discussion. In summary, we do not
>>     have consensus to publish the document as is. [...] Given this, the
>>     chairs will move the document back to the 'WG Document' state and
>>     ask the author to work on resolving the issues brought up on the
>>     list including text to address concerns that there are reasons to
>>     prefer hybrid over the pure approach. The chairs will then redo a
>>     working group last call to see if there is rough consensus for
>>     publishing this document."
>> 
>> [2]: https://mailarchive.ietf.org/arch/msg/tls/Gc6KVPrVHn-QCkeEcvJ_qtRcFxY/
>> 
>> The recorded conclusion is an explicit finding of no consensus to 
>> publish, with the document returned to WG Document state. Anyone can 
>> read [2] and compare. Describing this outcome as the document having 
>> "passed WGLC" is not a paraphrase; it reverses the recorded finding. 
>> This matters because the framing of this second WGLC as a narrow 
>> confirmatory step depends on that characterization. If the first WGLC 
>> found no consensus -- as [2] explicitly records -- then this second WGLC 
>> is properly a fresh determination of rough consensus, not a check on 
>> whether added text satisfies conditional supporters.
>> 
>> Per RFC 2418 Section 7.4, a working group last call determines rough 
>> consensus across the working group as a whole. The first WGLC generated 
>> substantive objections from multiple participants -- including D.J. 
>> Bernstein, Stephen Farrell, Rich Salz, Simon Josefsson, and myself -- 
>> that have not been resolved by the revisions in -07. The conclusion of 
>> the first WGLC is itself under active appeal at the IESG 
>> (https://datatracker.ietf.org/group/iesg/appeals/artifact/230) I would 
>> ask the chairs to clarify how the interaction between that pending 
>> appeal and this second WGLC is being handled.
>> 
>> ---
>> 
>> 5. SCOPE OF THIS OBJECTION
>> 
>> I note the AD's guidance that this second WGLC is directed at assessing 
>> whether the revisions in -07 address concerns raised in the first WGLC. 
>> My response to that framing is twofold.
>> 
>> First, several of the concerns I raise above are specific to the -07 
>> text itself: the FIPS 203 citation error, the SP 800-227 conflict, and 
>> the absence of FATT review are all concerns that arise from -- or remain 
>> unaddressed by -- the current revision. These are squarely within scope 
>> of any reading of this WGLC's purpose.
>> 
>> Second, the substantive objections from the first WGLC that were not 
>> resolved by -07 do not lapse because a second WGLC has been called. The 
>> revisions did not address the absence of a concrete motivation for 
>> removing the classical component, did not initiate FATT review, did not 
>> correct the FIPS 203 citation, and did not resolve the tension with SP 
>> 800-227. These objections remain open.
>> 
>> I ask the chairs to confirm that this objection has been received, that 
>> it will be reflected in the consensus call summary, and that the pending 
>> IESG appeal of the first WGLC's conclusion will be resolved before this 
>> document advances.
>> 
>> Nadim Kobeissi
>> Symbolic Software • https://symbolic.software <https://symbolic.software/>
>> 
>> On 2/21/26 11:28 AM, Nadim Kobeissi wrote:
>> > Hi Paul,
>> > 
>> > You write:
>> > 
>> >> We already had a WGLC on this document [1] and the conclusion [2] was
>> >> that it passed WGLC provided some clarifying text would be added that
>> >> stated that for the general use case, hybrids were preferred.
>> > 
>> > I just had a look at [2] and to my surprise, it didn’t seem to match 
>> > your description. What [2] seems to show was that the chairs decided 
>> > that there was no consensus. Quoting:
>> > 
>> >  > The working group last call for pure ML-KEM has concluded, thanks to 
>> > those
>> >  > that participated in the discussion. In summary, we do not have consensus
>> >  > to publish the document as is.
>> >  > […]
>> >  > Given this, the chairs will move the document back to the "WG Document"
>> >  > state and ask the author to work on resolving the issues brought up 
>> > on the
>> >  > list including text to address concerns that there are reasons to prefer
>> >  > hybrid over the pure approach. The chairs will then redo a working group
>> >  > last call to see if there is rough consensus for publishing this 
>> > document.
>> > 
>> > I am very confused. You say that [2] showed that it passed WGLC provided 
>> > that some clarifying text would be added. Absolutely none of this is 
>> > reflected in [2]. Instead, what [2] shows is an explicit admission of 
>> > the lack of any consensus to publish the document, and the document 
>> > being moved back to a “WG Document” state.
>> > 
>> > Could you please clarify this rather large discrepancy between your 
>> > description of [2] and what [2] actually appears to say?
>> > 
>> > Thank you,
>> > 
>> > [2] https://mailarchive.ietf.org/arch/msg/tls/Gc6KVPrVHn-QCkeEcvJ_qtRcFxY/
>> > 
>> > Nadim Kobeissi
>> > Symbolic Software • https://symbolic.software <https://symbolic.software/>
>> > 
>> >> On 20 Feb 2026, at 4:00 PM, Paul Wouters 
>> >> <paul=40nohats.ca@dmarc.ietf.org <mailto:40nohats.ca@dmarc.ietf.org>> wrote:
>> >>
>> >>
>> >> [ AD hat on ]
>> >>
>> >> All,
>> >>
>> >> I want to remind people that the goal of this 2nd WGLC is to focus on
>> >> the new text changed in responds to the conclusion of the 1st WGLC.
>> >>
>> >> We already had a WGLC on this document [1] and the conclusion [2] was
>> >> that it passed WGLC provided some clarifying text would be added that
>> >> stated that for the general use case, hybrids were preferred. This
>> >> 2nd WGLC is about that topic.
>> >>
>> >> There is an appeal chain that got muddled by the inappropriate use of
>> >> derivative clauses that is still in progress, but so far yielded the AD
>> >> statement [3] that confirmed the WG Chairs view that the consensus call
>> >> passed. There is an appeal with the IESG [4] on that decision, and this
>> >> document will not be placed in the RFC Editor queue until that appeal has
>> >> concluded, but will also not stop all processing while the appeal runs.
>> >>
>> >> This 2nd WGLC is meant to get those people who provisionally said "yes"
>> >> to publication of this document pending some extra text, to review this
>> >> text and let us know if that resolves the conditional part of their
>> >> "yes" statement. The text changes to discuss can be seen at:
>> >>
>> >> https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls- 
>> >> mlkem-05&url2=draft-ietf-tls-mlkem-07&difftype=--html
>> >>
>> >>
>> >> I understand this is a heated topic. I am also not hearing from people
>> >> that they have changed their opinion on whether or not to publish this
>> >> document at all. Confirming your views are fine, but again, that is not
>> >> the goal of this 2nd WGLC. It would be helpful if, especially those
>> >> people who wanted additional clarifying text, to give us feedback on
>> >> this. And ideally, offer up suggestions that would address any still
>> >> outstanding issues.
>> >>
>> >> Thanks,
>> >>
>> >> Paul
>> >>
>> >> [1] https://mailarchive.ietf.org/arch/msg/tls/Pzdox1sDDG36q19PWDVPghsiyXA/
>> >> [2] https://mailarchive.ietf.org/arch/msg/tls/Gc6KVPrVHn-QCkeEcvJ_qtRcFxY/
>> >> [3] https://mailarchive.ietf.org/arch/msg/tls/dzPT8KQe4S-_pZROLUJMvS9pM0M/
>> >> [4] https://datatracker.ietf.org/group/iesg/appeals/artifact/230
>> >>
>> >> _______________________________________________
>> >> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>> >> To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>
>> > 
>> 
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>> To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>