[TLS] Re: [External] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Sat, 11 October 2025 12:23 UTC

Message-ID: <16f68d04-6eb8-4ea4-9dd4-98762e0a766d@tu-dresden.de>
Date: Sat, 11 Oct 2025 14:22:56 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: tls@ietf.org
References: <20251011095218.169408.qmail@cr.yp.to>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <20251011095218.169408.qmail@cr.yp.to>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms090502070407080208010905"
Message-ID-Hash: 3PVHEISTBDDOBHGZDB4FQDBWHUW4IO2R
Precedence: list
Subject: [TLS] Re: [External] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Yul6hw0gD-48n4CjCOthafKZ7Rc>

On 11.10.25 11:52, D. J. Bernstein wrote:

> Thanks---I was looking at TR-02102-1 rather than TR-02102-2.
In my understanding, TR-02102-1 is only for SRTP and MLS. The one 
applicable for TLS is only TR-02102-2.
> Content-wise, I don't see how Table 9 in TR-02102-2 supports the notion
> that SecP256r1MLKEM768 or SecP384r1MLKEM1024 is required for compliance
> with something.
In my understanding, it does not: (see response to your point (2) below)
> The claim up thread that there are "regulatory requirements" sounds
> impressive,

To me, it isn't very impressive. I believe TLS WG should be carefully 
analyzing and defining what is secure use of PQ in TLS rather than being 
forced to support potentially weak solutions by the "regulatory 
requirements". Just for clarity: it is a general statement of my view; 
in particular, I haven't analyzed PQ yet and thus currently have no 
opinion on whether pure PQ is weaker than hybrid, or whether a specific 
hybrid is weaker than some other hybrid.

Besides, a question remains: which regulations? which country/region? 
which one to prefer if the regulations of two countries/regions contradict?

> but I'd like to see a complete argument that
>
>      (1) pinpoints the "regulatory requirements" we're talking about,

Well, if we are /strictly/ talking about "regulatory requirements" then 
the English versions are not legally binding in the first place (as it 
is default in Germany). Someone has to first confirm that the 
translation is actually correct. See the note in [0]:

>  Note: The translations of these Technical Guidelines should be 
considered as courtesy translations. In principle, theGerman versions 
<https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr02102/tr02102_node.html>take 
precedence.

>      (2) lays out how SecP256r1MLKEM768 and SecP384r1MLKEM1024 are
>          necessary for meeting those requirements, and

I think Sec. 3.1.3 in TR-02102-2 clarifies the situation. In my 
understanding, BSI neither recommends nor prohibits anything for PQ in 
TLS. It is just waiting for standards to be developed and matured. The 
only thing I could infer was that they /intend/ to recommend hybrid 
rather than pure PQ. Quoting the relevant text:

> Standards for the use of quantum-safe mechanisms in TLS are currently being developed and tested. The BSI intends to recommend quantum-safe mechanisms in this Technical Guideline (in hybrid use with recommended classical mechanisms) as soon as suitable standards have been adopted. 

Besides, Sec. 3.2 in TR-02102-2 clearly states that BSI is continuing to 
/recommend/ TLS 1.2, and since TLS 1.2 will not have PQ support, it 
implies to me that BSI is not even recommending moving towards PQ for TLS.

-Usama

[0] 
https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr02102/tr02102_node.html

Attachment: smime.p7s

[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… David Adrian
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
[TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
[TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: [External] Re: Working Group Last Call … John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
[TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
[TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey

[TLS] Re: [External] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

Attachment: smime.p7s