[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2026-02-27)

Nadim Kobeissi <nadim@symbolic.software> Wed, 25 February 2026 18:03 UTC

Return-Path: <nadim@symbolic.software>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D8745BE17177 for <tls@mail2.ietf.org>; Wed, 25 Feb 2026 10:03:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=symbolic.software header.b="EmI62CfD"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="m5Vto6N4"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBmK3aGKJrlc for <tls@mail2.ietf.org>; Wed, 25 Feb 2026 10:03:19 -0800 (PST)
Received: from fhigh-b7-smtp.messagingengine.com (fhigh-b7-smtp.messagingengine.com [202.12.124.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1EE9BBE16FD0 for <tls@ietf.org>; Wed, 25 Feb 2026 10:01:29 -0800 (PST)
Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfhigh.stl.internal (Postfix) with ESMTP id CB8257A0182; Wed, 25 Feb 2026 13:01:22 -0500 (EST)
Received: from phl-imap-12 ([10.202.2.86]) by phl-compute-03.internal (MEProxy); Wed, 25 Feb 2026 13:01:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= symbolic.software; h=cc:content-transfer-encoding:content-type :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to; s=fm1; t=1772042482; x=1772128882; bh=75utbC4WmWLUggH2WiJ4Z 1PEfIiTI8HX6nEUNXlIyao=; b=EmI62CfD+veGk5eb1keITovC1e3M15W34sAve 2EEioI1Bqlxsyt8W6hd0AhcVUUFHbm8w+scl+8a76LjgEu85+WzPfPFxL5cwIu3P tj+YODh8gnV8T5hsm5KafVex3b5FHkxSonzYceemhfSAhBSiFxjmFMF9/rPqYfes 305x3CnzdzELm1MkXNelMyEvaRYljrro/4yPEAayn2jtGmHrxaCv1Gr649/TCWZO qA89wN2nDDcmwSX06ER43MiQLCe3o2R8PV1m7Q341m0xC1ZV7WCJ88rWa4sAdq8k SD4LmXXSo+TzOyc6HLk0mVkvK9f4UuLEcLlahf7OYS49zGB5Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1772042482; x=1772128882; bh=7 5utbC4WmWLUggH2WiJ4Z1PEfIiTI8HX6nEUNXlIyao=; b=m5Vto6N4fKj8HJLcK 6Z+o9rJf4hv6yQKW1a6Ase8N2ptKP7g0u4VItYSa+SM7yPaT5oj1m9ybivx6XdM9 5X7OeTyjjAYb0hvPz6191BsGJgpFpZK6W+aPeaOxcwyiCGVYfPAexaRTr5MtiyQH Em9OJwTDcQig+Z/GE9kepg+HnjNpYdsBUOJXqCyKF8Ymhu9bzLvuwbfkpAHdlt5/ xSmIRoOc/T4yEPm/0lL74m6evv2JhG0GByO7Ue1LuxsROqCbHtfD6XV6bZxLSXjr BdpxaqwKiwMcDFV+Er2sZdf9v0AAQ3B/qHButme6oaiScUcqKbCa/lTe+bWB4SaF w8Z9g==
X-ME-Sender: <xms:8jifaWt-vOKowVdlo5gqk1auI0NyQAjnpgA_nFbG78P4zutN5hU1mw> <xme:8jifaWTJCBSmDTfgeIH3CzyWUbJ2qfGVhTh2M_lI3kiMcwFwljt_abLFzf5EbC6is Ju5LFYTxGVdACdTGP85MFfBPI8EnyJ3i8qXGi7u-f-2BApbNl0Z7PI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvgeefjeeiucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkfgjfhfutgfgsehtqhertd ertdejnecuhfhrohhmpedfpfgrughimhcumfhosggvihhsshhifdcuoehnrgguihhmsehs hihmsgholhhitgdrshhofhhtfigrrhgvqeenucggtffrrghtthgvrhhnpeethfegffegge ejgfevfffhtedvtdfgiedukefgkeefvddugeeuhfdtfeduffelveenucffohhmrghinhep ihgvthhfrdhorhhgpdhgihhthhhusgdrtghomhdpshihmhgsohhlihgtrdhsohhfthifrg hrvgenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehn rgguihhmsehshihmsgholhhitgdrshhofhhtfigrrhgvpdhnsggprhgtphhtthhopedvpd hmohguvgepshhmthhpohhuthdprhgtphhtthhopehprghulhepgedtnhhohhgrthhsrdgt rgesughmrghrtgdrihgvthhfrdhorhhgpdhrtghpthhtohepthhlshesihgvthhfrdhorh hg
X-ME-Proxy: <xmx:8jifaVZWn26hkVWy9KUtDx3kV05q5HOYDxuolOgRvTnvk1kINlB_aA> <xmx:8jifaaVPi5QTaFKfErOWoFQL9AbATtdxMSneDd3H6nQ0lyfeiEPhQg> <xmx:8jifafikwdR64z5X3BoXffOQDc7CEVOmjUaI_sIJPIoEAOxtxbS_2g> <xmx:8jifaQX54VL5d1MGHxwg8R-XCzbbPE1NlsGwKl-HUSRSAgC74O838w> <xmx:8jifaSiufn5On3mCfMSG5LpRw4wbF6hzq83cVkctP-Ksz63WEtaTMmE5>
Feedback-ID: i6d3949ed:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 78B31106006A; Wed, 25 Feb 2026 13:01:22 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: AdEwv1-X4yuN
Date: Wed, 25 Feb 2026 19:00:55 +0100
From: Nadim Kobeissi <nadim@symbolic.software>
To: Paul Wouters <paul=40nohats.ca@dmarc.ietf.org>, tls@ietf.org
Message-Id: <ecbe7d7f-4602-4b06-ae7f-aa6812389240@app.fastmail.com>
In-Reply-To: <1998222.tdWV9SEqCh@genesis>
References: <20260218194044.1135896.qmail@cr.yp.to> <971672FF-31BE-47C4-A478-8FEB60DE3F7A@symbolic.software> <66970fb7-0645-4fff-8b9e-48f6bad3e007@symbolic.software> <1998222.tdWV9SEqCh@genesis>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: TM3N4XQ2MNJNPJJF46IJYAPKM2HBBYZS
X-Message-ID-Hash: TM3N4XQ2MNJNPJJF46IJYAPKM2HBBYZS
X-MailFrom: nadim@symbolic.software
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2026-02-27)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YC4OUKseD1wd5oCrpXTIfw_0C9k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I'm encountering some concerning conduct from the AD regarding my blocking objection.

I've so far continued to receive off-list emails from the AD despite repeated explicit requests that they stop emailing me off-list and acknowledge my objection on-list, as well as address their inaccurate summary of [2].

The explanation provided by the AD to me (off-list, despite my explicit lack of consent) amounted to the following:

> The largest number of participants wanted to publish the document as is, however there was also a significant number that wanted changes to the document before publication and a small, but vocal, number of participants that do not want the document to be published at all.
> 
> where: largest > significant > small but vocal
> 
> and: (largest + significant) / (largest + significant + small but vocal) == rough consensus

I don't know why they insisted on sending this explanation off-list, but I'm sorry to say that it makes no sense. [2] clearly states:

> In summary, we do not have consensus to publish the document as is. [...] The chairs will then redo a working group last call to see if there is rough consensus for publishing this document.

I am a bit disturbed to see that the AD resorted to sending me strange justifications for their interpretation of [2] despite it clearly stating that "In summary, we do not have consensus to publish the document as is. [...] The chairs will then redo a working group last call to see if there is rough consensus for publishing this document."

I encourage more transparent behavior from this WG, and for the issues I raise to be treated in a more transparent manner. 

[2] https://mailarchive.ietf.org/arch/msg/tls/Gc6KVPrVHn-QCkeEcvJ_qtRcFxY/

On Wed, Feb 25, 2026, at 12:56 PM, Nadim Kobeissi wrote:
> Hi everyone,
>
> Despite emails sent from the AD on this list (and to me off-list), I still 
> don't see any acknowledgment regarding this blocking objection submission, 
> despite my request for one.
>
> I would appreciate it if the ADs could address my points on the record. Point 
> 4, especially, is to me quite concerning, and according to my judgement 
> deserves an explanation.
>
> Thank you,
>
> On Saturday, February 21, 2026 5:23:29 PM Central European Standard Time Nadim 
> Kobeissi wrote:
>> Hi everyone,
>> 
>> Following the exchanges since my initial objection and after some 
>> additional appraisal of the situation, I am writing to set out a fuller 
>> objection to the publication of draft-ietf-tls-mlkem-07. I ask the 
>> chairs to treat this as a blocking objection and to reflect it 
>> accurately in any consensus call summary.
>> 
>> I want to state my position plainly. I do not believe this document 
>> should be published. A pure post-quantum key establishment option for 
>> TLS 1.3 discards compositional security under component compromise -- a 
>> property deliberately designed into TLS 1.3 that has served the deployed 
>> Internet well -- and the document identifies no concrete benefit gained 
>> in exchange. The hybrid constructions already adopted by this working 
>> group provide post-quantum security while retaining that compositional 
>> guarantee. This document proposes to remove that guarantee, and I have 
>> yet to see a justification for doing so that withstands scrutiny.
>> 
>> My background in formal verification of the TLS 1.3 key schedule -- 
>> including co-authoring verified models that contributed directly to TLS 
>> 1.3's standardization (Bhargavan, Blanchet, Kobeissi, IEEE S&P 2017, DOI 
>> 10.1109/SP.2017.26) -- informs the specific concerns I set out below.
>> 
>> ---
>> 
>> 1. THE DOCUMENT'S MOTIVATION IS CIRCULAR
>> 
>> The Motivation section of -07 states that pure ML-KEM key establishment 
>> is "necessary for migrating beyond hybrids and for users that want or 
>> need post-quantum security without hybrids."
>> 
>> This is circular: it asserts that pure PQ key establishment is needed by 
>> those who want pure PQ key establishment. The section does not identify 
>> any deployment scenario in which a hybrid construction is technically 
>> infeasible, any security property gained by removing the classical 
>> component, or any basis for concluding that the time for "migrating 
>> beyond hybrids" has arrived.
>> 
>> The compositional security argument for hybrid constructions is 
>> well-established: a hybrid key establishment scheme is secure if either 
>> component is secure. ML-KEM is relatively young as a standardized 
>> primitive; its mathematical hardness assumptions are less studied than 
>> those underlying established elliptic curve constructions. The world's 
>> Internet has been running TLS 1.3 with hybrid constructions for years, 
>> providing post-quantum security via ML-KEM while retaining higher 
>> assurance against classical attacks via ECC. Removing the classical 
>> component of this working arrangement discards a concrete security 
>> guarantee for no identified gain.
>> 
>> One would expect that disrupting a functioning, well-analyzed status quo 
>> would require exceptional motivation. The document does not provide one, 
>> and none has been offered in discussion despite my repeated requests. I 
>> cannot support publication of a standard that removes a security 
>> property without justification.
>> 
>> ---
>> 
>> 2. THE FATT PROCESS HAS NOT BEEN COMPLETED
>> 
>> The FATT charter (https://github.com/tlswg/tls-fatt) states:
>> 
>>    "A proposal that modifies the TLS key schedule or the authentication 
>> process or any other part of the cryptographic protocol that has been 
>> formally modeled and analyzed in the past would likely result in asking 
>> the FATT."
>> 
>> This document introduces pure ML-KEM as a NamedGroup, substituting the 
>> ML-KEM shared_secret into the TLS 1.3 key schedule in place of the 
>> (EC)DHE shared secret (Section 4.3, Figure 1). That substitution 
>> directly affects a component of the TLS 1.3 key schedule that has been 
>> formally modeled and analyzed, including in:
>> 
>>    - Bhargavan, Blanchet, Kobeissi, "Verified Models and Reference 
>> Implementations for the TLS 1.3 Standard Candidate," IEEE S&P 2017, DOI 
>> 10.1109/SP.2017.26.
>> 
>>    - Dowling, Fischlin, Gunther, Stebila, "A Cryptographic Analysis of 
>> the TLS 1.3 Handshake Protocol," Journal of Cryptology, 2021, DOI 
>> 10.1007/s00145-021-09384-1 (cited in the draft as [DOWLING]).
>> 
>> The prior analyses modeled the (EC)DHE input as a freshly generated 
>> ephemeral value. My own 2017 work explicitly modeled TLS 1.3 client key 
>> shares as ephemeral. As Muhammad Usama Sardar noted on this list on 
>> February 20, and as John Mattsson confirmed, this draft introduces a 
>> materially different assumption: Section 5.3 of -07 explicitly permits 
>> ML-KEM key share reuse.
>> 
>>  From direct knowledge of the 2017 proof, I can confirm that its 
>> security arguments do not straightforwardly extend to a static key share 
>> case. The proof relies on the ephemerality of client key shares at a 
>> structural level. Substituting a potentially reused ML-KEM encapsulation 
>> key for a fresh ephemeral (EC)DHE value changes the adversarial model 
>> the proof operates under.
>> 
>> Under the FATT charter, the chairs were expected to determine whether 
>> FATT review was warranted at adoption time. I have been unable to find a 
>> public record that FATT was engaged for this document: there is no FATT 
>> point person named in the FATT repository, and no FATT assessment 
>> appears in the shepherd write-up (which shows no shepherd assigned).
>> 
>> I would appreciate it if the chairs could clarify on the record whether 
>> FATT triage was initiated and, if so, what the outcome was. This is a 
>> straightforward process question, and answering it would help the 
>> working group understand whether this document has received the formal 
>> analysis review that our own processes call for.
>> 
>> ---
>> 
>> 3. THE KEY REUSE LANGUAGE CONTAINS ERRORS AND CONFLICTS WITH NIST SP
>> 800-227
> 
>> Section 5.3 of -07 states:
>> 
>>    "While it is recommended that implementations avoid reuse of ML-KEM 
>> keypairs to ensure forward secrecy, implementations that do reuse MUST 
>> ensure that the number of reuses abides by bounds in [FIPS203] or 
>> subsequent security analyses of ML-KEM."
>> 
>> This language has two concrete problems.
>> 
>> First, FIPS 203 does not define a reuse bound. FIPS 203 specifies the 
>> ML-KEM algorithm; for usage guidance, it explicitly directs implementers 
>> to SP 800-227. SP 800-227 is normatively cited in -07 as 
>> [NIST-SP-800-227]. Section 5.3's invocation of "bounds in [FIPS203]" 
>> attributes guidance to a document that does not contain it. This is a 
>> factual error in normative text, verifiable by anyone who reads the 
>> cited document.
>> 
>> Second, SP 800-227 (September 2025) states:
>> 
>>    "If an application uses an ephemeral key pair, the key pair shall be 
>> used for only one execution of key-establishment via a KEM and shall be 
>> destroyed as soon as possible after its use."
>> 
>> SP 800-227 distinguishes sharply between ephemeral keys, which are 
>> single-use and must be destroyed, and static keys, which are reusable 
>> but subject to additional authentication and key management requirements 
>> including proof of possession. The draft simultaneously recommends 
>> against reuse and permits it, with a MUST qualifier pointing to a bound 
>> that does not exist in the cited document. The result is a normative 
>> contradiction that implementers cannot resolve by reading the documents 
>> cited.
>> 
>> The security consequences of key reuse in deployed TLS go beyond the 
>> IND-CCA property of ML-KEM in isolation. IND-CCA is a primitive-level 
>> property; it does not guarantee forward secrecy, resistance to traffic 
>> analysis based on linkability of reused encapsulation keys, or 
>> compliance with SP 800-227's additional requirements for static-key 
>> deployments. The draft addresses none of these protocol-level concerns.
>> 
>> John Mattsson raised this point on February 12 and proposed removing all 
>> key reuse text as the condition for his support. The changes in -07 
>> addressed his concern only partially and did not correct the FIPS 203 
>> citation.
>> 
>> ---
>> 
>> 4. THE FRAMING OF THIS SECOND WGLC DOES NOT ACCURATELY REFLECT THE FIRST 
>> WGLC'S CONCLUSION
>> 
>> Paul Wouters's message of February 20, sent in his capacity as AD, 
>> describes the first WGLC as follows:
>> 
>>    "We already had a WGLC on this document [1] and the conclusion [2]
>>     was that it passed WGLC provided some clarifying text would be
>>     added that stated that for the general use case, hybrids were
>>     preferred."
>> 
>> This description does not match the conclusion it cites. The conclusion 
>> of the first WGLC, as recorded by Joseph Salowey on December 8, 2025 in 
>> the very message Wouters cites as [2], reads:
>> 
>>    "The working group last call for pure ML-KEM has concluded, thanks
>>     to those that participated in the discussion. In summary, we do not
>>     have consensus to publish the document as is. [...] Given this, the
>>     chairs will move the document back to the 'WG Document' state and
>>     ask the author to work on resolving the issues brought up on the
>>     list including text to address concerns that there are reasons to
>>     prefer hybrid over the pure approach. The chairs will then redo a
>>     working group last call to see if there is rough consensus for
>>     publishing this document."
>> 
>> [2]: https://mailarchive.ietf.org/arch/msg/tls/Gc6KVPrVHn-QCkeEcvJ_qtRcFxY/
>> 
>> The recorded conclusion is an explicit finding of no consensus to 
>> publish, with the document returned to WG Document state. Anyone can 
>> read [2] and compare. Describing this outcome as the document having 
>> "passed WGLC" is not a paraphrase; it reverses the recorded finding. 
>> This matters because the framing of this second WGLC as a narrow 
>> confirmatory step depends on that characterization. If the first WGLC 
>> found no consensus -- as [2] explicitly records -- then this second WGLC 
>> is properly a fresh determination of rough consensus, not a check on 
>> whether added text satisfies conditional supporters.
>> 
>> Per RFC 2418 Section 7.4, a working group last call determines rough 
>> consensus across the working group as a whole. The first WGLC generated 
>> substantive objections from multiple participants -- including D.J. 
>> Bernstein, Stephen Farrell, Rich Salz, Simon Josefsson, and myself -- 
>> that have not been resolved by the revisions in -07. The conclusion of 
>> the first WGLC is itself under active appeal at the IESG 
>> (https://datatracker.ietf.org/group/iesg/appeals/artifact/230) I would 
>> ask the chairs to clarify how the interaction between that pending 
>> appeal and this second WGLC is being handled.
>> 
>> ---
>> 
>> 5. SCOPE OF THIS OBJECTION
>> 
>> I note the AD's guidance that this second WGLC is directed at assessing 
>> whether the revisions in -07 address concerns raised in the first WGLC. 
>> My response to that framing is twofold.
>> 
>> First, several of the concerns I raise above are specific to the -07 
>> text itself: the FIPS 203 citation error, the SP 800-227 conflict, and 
>> the absence of FATT review are all concerns that arise from -- or remain 
>> unaddressed by -- the current revision. These are squarely within scope 
>> of any reading of this WGLC's purpose.
>> 
>> Second, the substantive objections from the first WGLC that were not 
>> resolved by -07 do not lapse because a second WGLC has been called. The 
>> revisions did not address the absence of a concrete motivation for 
>> removing the classical component, did not initiate FATT review, did not 
>> correct the FIPS 203 citation, and did not resolve the tension with SP 
>> 800-227. These objections remain open.
>> 
>> I ask the chairs to confirm that this objection has been received, that 
>> it will be reflected in the consensus call summary, and that the pending 
>> IESG appeal of the first WGLC's conclusion will be resolved before this 
>> document advances.
>> 
>> Nadim Kobeissi
>> Symbolic Software • https://symbolic.software
>> 
>> On 2/21/26 11:28 AM, Nadim Kobeissi wrote:
>> 
>> > Hi Paul,
>> > 
>> > You write:
>> > 
>> > 
>> >> We already had a WGLC on this document [1] and the conclusion [2] was
>> >> that it passed WGLC provided some clarifying text would be added that
>> >> stated that for the general use case, hybrids were preferred.
>> > 
>> > 
>> > I just had a look at [2] and to my surprise, it didn’t seem to match 
>> > your description. What [2] seems to show was that the chairs decided 
>> > that there was no consensus. Quoting:
>> > 
>> > 
>> >  > The working group last call for pure ML-KEM has concluded, thanks to 
>> > 
>> > those
>> > 
>> >  > that participated in the discussion. In summary, we do not have
>> >  > consensus
>> >  > to publish the document as is.
>> >  > […]
>> >  > Given this, the chairs will move the document back to the "WG
>> >  > Document"
>> >  > state and ask the author to work on resolving the issues brought up 
>> > 
>> > on the
>> > 
>> >  > list including text to address concerns that there are reasons to
>> >  > prefer
>> >  > hybrid over the pure approach. The chairs will then redo a working
>> >  > group
>> >  > last call to see if there is rough consensus for publishing this 
>> > 
>> > document.
>> > 
>> > I am very confused. You say that [2] showed that it passed WGLC provided 
>> > that some clarifying text would be added. Absolutely none of this is 
>> > reflected in [2]. Instead, what [2] shows is an explicit admission of 
>> > the lack of any consensus to publish the document, and the document 
>> > being moved back to a “WG Document” state.
>> > 
>> > Could you please clarify this rather large discrepancy between your 
>> > description of [2] and what [2] actually appears to say?
>> > 
>> > Thank you,
>> > 
>> > [2] https://mailarchive.ietf.org/arch/msg/tls/Gc6KVPrVHn-QCkeEcvJ_qtRcFxY/
>> > 
>> > 
>> > Nadim Kobeissi
>> > Symbolic Software • https://symbolic.software
>> > 
>> > 
>> >> On 20 Feb 2026, at 4:00 PM, Paul Wouters 
>> >> <paul=40nohats.ca@dmarc.ietf.org> wrote:
>> >>
>> >>
>> >>
>> >>
>> >> [ AD hat on ]
>> >>
>> >>
>> >>
>> >> All,
>> >>
>> >>
>> >>
>> >> I want to remind people that the goal of this 2nd WGLC is to focus on
>> >> the new text changed in responds to the conclusion of the 1st WGLC.
>> >>
>> >>
>> >>
>> >> We already had a WGLC on this document [1] and the conclusion [2] was
>> >> that it passed WGLC provided some clarifying text would be added that
>> >> stated that for the general use case, hybrids were preferred. This
>> >> 2nd WGLC is about that topic.
>> >>
>> >>
>> >>
>> >> There is an appeal chain that got muddled by the inappropriate use of
>> >> derivative clauses that is still in progress, but so far yielded the AD
>> >> statement [3] that confirmed the WG Chairs view that the consensus call
>> >> passed. There is an appeal with the IESG [4] on that decision, and this
>> >> document will not be placed in the RFC Editor queue until that appeal
>> >> has
>> >> concluded, but will also not stop all processing while the appeal runs.
>> >>
>> >>
>> >>
>> >> This 2nd WGLC is meant to get those people who provisionally said "yes"
>> >> to publication of this document pending some extra text, to review this
>> >> text and let us know if that resolves the conditional part of their
>> >> "yes" statement. The text changes to discuss can be seen at:
>> >>
>> >>
>> >>
>> >> https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls- 
>> >> mlkem-05&url2=draft-ietf-tls-mlkem-07&difftype=--html
>> >>
>> >>
>> >>
>> >>
>> >> I understand this is a heated topic. I am also not hearing from people
>> >> that they have changed their opinion on whether or not to publish this
>> >> document at all. Confirming your views are fine, but again, that is not
>> >> the goal of this 2nd WGLC. It would be helpful if, especially those
>> >> people who wanted additional clarifying text, to give us feedback on
>> >> this. And ideally, offer up suggestions that would address any still
>> >> outstanding issues.
>> >>
>> >>
>> >>
>> >> Thanks,
>> >>
>> >>
>> >>
>> >> Paul
>> >>
>> >>
>> >>
>> >> [1]
>> >> https://mailarchive.ietf.org/arch/msg/tls/Pzdox1sDDG36q19PWDVPghsiyXA/
>> >> [2]
>> >> https://mailarchive.ietf.org/arch/msg/tls/Gc6KVPrVHn-QCkeEcvJ_qtRcFxY/
>> >> [3]
>> >> https://mailarchive.ietf.org/arch/msg/tls/dzPT8KQe4S-_pZROLUJMvS9pM0M/
>> >> [4] https://datatracker.ietf.org/group/iesg/appeals/artifact/230
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> TLS mailing list -- tls@ietf.org
>> >> To unsubscribe send an email to tls-leave@ietf.org
>> > 
>> > 
>> 
>> 
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
>
>
>
> Nadim Kobeissi
> Symbolic Software • https://symbolic.software
>
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org

-- 
Nadim Kobeissi
Symbolic Software • https://symbolic.software