IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Eric Rescorla <ekr@rtfm.com> Wed, 26 November 2025 21:35 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 98912915D081 for <tls@mail2.ietf.org>; Wed, 26 Nov 2025 13:35:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JeuYl0t3tGkQ for <tls@mail2.ietf.org>; Wed, 26 Nov 2025 13:35:44 -0800 (PST)
Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9BE6D915D06E for <tls@ietf.org>; Wed, 26 Nov 2025 13:35:44 -0800 (PST)
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-789524e6719so4162057b3.1 for <tls@ietf.org>; Wed, 26 Nov 2025 13:35:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1764192944; x=1764797744; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YErAsIqIfhwFEQLFajWuL7APVWkmgn/NPYH0cI4O/gw=; b=0cIfHLewP6zcxuCcC2G2kCL81xYDGEPcNfNc8grqXaJcG28pJLcjzqC3cQRr9TM+zo NSI/VOpQSGdIzHqgzPRfXX/BT55T3QuxplzEx69ZzvA6gg05MqOe5f9k0IjcCbmLnO3G 9QNUw7UCPE9wrWiTw2NQvFkQvaOmOWHG5tZVm5lK6xWaMj/lpdFPiFcSUNP13hZ2pzjq YoIljBBD/A58koRDOQwD0RmVkefDnpcgdGHvu5NSq8/5oLyfqY6bs3UrvXb/KSd7zLw3 i/Yjt+nwulfs+4QG3TR+yHm0WGzhOWEmtKSFIvE8nTNriO5yIjEgATtbC/NJwTqdvZvH I2FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764192944; x=1764797744; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YErAsIqIfhwFEQLFajWuL7APVWkmgn/NPYH0cI4O/gw=; b=BxHhgJaPstP9fqGhXkAworzDXQterNavS4ognCd8gc7v779NAucuXW7JgRFIxi15lJ to2wFSXCrvyyC8GHiG+iwZ6BaXssXtAAPAuHE8+Y9hJiQazwW7+1NoLMXcUEGT7ZWWGs BStUmMy7YV3ZTwl7aENTItmkidfWEOre3g9/frxUIUrYjAWfyj6iMYdIzkjO4TScydKH zNtaZFF07xgUCgpxw7gV/nkjgnh4Y8EwAK/QebXyTgNFRADDEt5uej3AjCJ8nlcQ+SAX AJGH7PUHzGoKeYokkjKJ/Qzry1ez+6xPeVe5qeRK/O4D7ECgXup/sExxhFvuox9+OIME FySA==
X-Forwarded-Encrypted: i=1; AJvYcCVfu8QH6oNrTatkPXR4nck1jOux8I6SeaCwOwFz9W5SsrunnEvlhY5++szlZcnRicwW+Bc=@ietf.org
X-Gm-Message-State: AOJu0YyiNnAGqW0veaN9NC00jFj049j3OmDhVrRwzvZS6tzA6U2mmKUn WVoJps9glHur5kAg8PEnWo2xdh8eLEnX368LsWKBtAGQdkFJE14uDH9BKTOMTEIO9pFZMkAp0Li UQDaZvD48oU7ZQ0xk9u4ccdLhior9o23KIu82vOSMDg==
X-Gm-Gg: ASbGncsWwv9GoR7HV06DyjdVQNj9BEEPQge8lO9+0O7G2kzwng9Lw1MP9Hf108T3FzV 61zA3vCsWqsbv0udHaH1yrXUVK6iZo721UGx8I7OSj+Xau19AotDZT3WWg0gM3a+c4yu0VvkqHg iy177mxR1dZdbpjEFxy/9R9+PE0d30aIOOY86p4jQGSSa8yjTiNjkkSre/yEeL4BFbRbZL6gkQm oNPxEJX/rjL3gQfcogTQwH4/7BYt4Jq2SEGBKxoN+LR+pN4Zyvx7lT+tYVBFFF5YN+u/Co14FPN XN4E8s6wQJuD8B8mfVcPEge2Pme+2nu5j3W6GU0uaWubcEV/KmWauIWBLh7cIkm55glIK/05rHk /FR2j/3jSDw==
X-Google-Smtp-Source: AGHT+IGYQGXYXpZIEA3T0oZu13zdj3IQSCv5hLAAgdFBYGMSoe6WTpHyjHW2vQZMy3IWa8JZa64DKAkd+ybG2J/9V8Y=
X-Received: by 2002:a05:690c:f83:b0:788:1521:4991 with SMTP id 00721157ae682-78a7bb59eb4mr199520407b3.22.1764192944105; Wed, 26 Nov 2025 13:35:44 -0800 (PST)
MIME-Version: 1.0
References: <20251126185919.362611.qmail@cr.yp.to> <9ce12b8e-9982-4194-987d-d2ca3a41ea48@tu-dresden.de> <CABcZeBOffkV9eUtpdPp8eWB_eMA1c6-GOMHoZcDs93cGm1kwfw@mail.gmail.com> <10352a8e-c3d5-457e-854d-e72e31fca2d2@tu-dresden.de> <CABcZeBPzabtzCs=zLncyjFy=JHWXzpPb6haN5iFA6=3orXTU2Q@mail.gmail.com> <91f28ee1-5408-417e-868d-bd5af47bd773@tu-dresden.de>
In-Reply-To: <91f28ee1-5408-417e-868d-bd5af47bd773@tu-dresden.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 26 Nov 2025 13:35:07 -0800
X-Gm-Features: AWmQ_bknVvP__Idz1hrraHF1pyBdf532SeF5O1W0QGCHeL2w7xYyXrN4od55sms
Message-ID: <CABcZeBPopk4jSXjwWaX_bPdcgvj6f6wPxTc7+300YmZnLGf36A@mail.gmail.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Content-Type: multipart/alternative; boundary="000000000000bfbc640644862da6"
Message-ID-Hash: Q2CCSCNMRY737CXODC7OB2OFCGPLH7ZA
X-Message-ID-Hash: Q2CCSCNMRY737CXODC7OB2OFCGPLH7ZA
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_CYfBYvufBl-Pe_nhG9TaqmJSzY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Wed, Nov 26, 2025 at 1:17 PM Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:

> On 26.11.25 21:44, Eric Rescorla wrote:
>
> Right, though it's important to be clear on what that means:
>
> - You have to support key_share, but you don't necessarily need to send it
> (e.g., if you're doing pure PSK without any DH).
>
> cool, thanks very much. That resolves the apparent mismatch between
> section 9.1 and Figure 1 in my head.
>
> - The requirement for key_share doesn't require you to do ECC, just to
> support the extension generally. You'd be in compliance with this
> particular MUST if you supported pure MLKEM, though of course not with the
> MUST to support P-256.
>
> I think the draft should have a statement somewhere stating that it is no
> longer compliant with the base TLS specs, with pointer to section 9.1 of
> RFC 8446bis.
>
I don't think that's correct. In general any draft which defines a new
algorithm
just allows that algorithm to be used in TLS, but doesn't otherwise affect
TLS.
This is true for this draft but also for the MLKEM-ECC hybrids.

An implementation could choose to implement just the new algorithm and
not the MTI algorithm(s) in the same class, in which case the implementation
would be noncompliant, but it's possible to be noncompliant based purely
on the algorithms registered in RFC 8446, for instance by implementing
just P-384 and not P-256.

-Ekr

v2.37.1 | Report a Bug | By Email | System Status