[TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM
Filippo Valsorda <filippo@ml.filippo.io> Wed, 05 November 2025 12:08 UTC
Return-Path: <filippo@ml.filippo.io>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 199878362B0C for <tls@mail2.ietf.org>; Wed, 5 Nov 2025 04:08:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b="v5HxxAT+"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Sp1d4AKc"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oILZXYSQvItp for <tls@mail2.ietf.org>; Wed, 5 Nov 2025 04:08:07 -0800 (PST)
Received: from fout-a2-smtp.messagingengine.com (fout-a2-smtp.messagingengine.com [103.168.172.145]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 39D7883629CE for <tls@ietf.org>; Wed, 5 Nov 2025 04:06:28 -0800 (PST)
Received: from phl-compute-09.internal (phl-compute-09.internal [10.202.2.49]) by mailfout.phl.internal (Postfix) with ESMTP id 486C0EC026B; Wed, 5 Nov 2025 07:06:22 -0500 (EST)
Received: from phl-imap-02 ([10.202.2.81]) by phl-compute-09.internal (MEProxy); Wed, 05 Nov 2025 07:06:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1762344382; x=1762430782; bh=eeIWb4BSUn wbfnRbdP0eiXkcRvXJIrUVPEoxXtDXLBQ=; b=v5HxxAT+16PB+8H1X4jj24Vt6y fASbjNgWaBv78QvfzKBv4T33kcZ65S1Pqd9Eyxg7oNnsTJFImAq7bm5iai76biQ4 EScLAAnZZlrNquY+JDn4FoNyz2jF4MVGIZMoWcoTvj7vyKBR9XYDIFpBRkKnSV53 BRrf1Hkbu2QVbLPOD+B9bP1j/x8JxORLXdUcjPPDmFmQVOngu5IzIQbMWtPSiSdZ aOwocqVve566ox3xlUCjjp9lLx5DvZ7KHOvzDP7oQI6FPwhMKhG/+OXAxR0czt5J fc5s/tF2+teLiUiOTAQpC0XFaxPw62EVWmFnMiUe/rfs7VW8aHFewyPgiYyA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1762344382; x=1762430782; bh=eeIWb4BSUnwbfnRbdP0eiXkcRvXJIrUVPEo xXtDXLBQ=; b=Sp1d4AKcVkn0mSoTFKspkJv9r3/GoWJjyqxw5eexuDjSmyVaDCT 6Fp69C9+dcIh5YN0XtXfaE3li/IHeWq0DoGDc7XbBUcKRZBSLVFDaGjAzT46MZge 3xx+vFzPQaFaf13HjJpMjZxuDl9R4uBt+4+6KbCC2bwRDfsoZTLqV1N1uaMgkHcZ EgLobksczi0AEdnsJNN9K3e5EZenc1puP2ZIGBh7vBH3v5CWlXrjuWCbBiDs9u6E v0RcLvBew2sNgfXrxueOLOwR+ePE7gILG0+RVoT1QwbZ3zKrnq8k9CIZo6EM5sSs B5lTdt650QUhLeS+jHB/BvsC/81eu7sMAig==
X-ME-Sender: <xms:vT0LaeC8mfPK-EMhyZrwwW0q6UBrg8DIw8whfgpTkR_Ogz9oQGIqBA> <xme:vT0LaTV_NRJCpbSl2tYaTG8jY51JfFoIj1gbF5qAlF_vZcGGpwJ1so6JqoWLqgd69 eOFHUZINz-JQ_MOFm9q5MaefmTapS0kIihu-ZzFgsINUOig5Ob4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddukeefkeehucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhepofggfffhvffkjghfufgtsegrtderreertddtnecuhfhrohhmpedfhfhilhhiphhp ohcugggrlhhsohhruggrfdcuoehfihhlihhpphhosehmlhdrfhhilhhiphhpohdrihhoqe enucggtffrrghtthgvrhhnpedugeejvedtgefhkeekueejvedtiedtheeutdduvdeigeei ffeuvdelkeevledvhfenucffohhmrghinhepihgvthhfrdhorhhgpdihohhuthhurdgsvg enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehfihhl ihhpphhosehmlhdrfhhilhhiphhpohdrihhopdhnsggprhgtphhtthhopeefpdhmohguvg epshhmthhpohhuthdprhgtphhtthhopehthhhomhgrshdrsggvlhhlvggsrghumhepgedt rghishgvtgdrfhhrrghunhhhohhfvghrrdguvgesughmrghrtgdrihgvthhfrdhorhhgpd hrtghpthhtohepthhlshesihgvthhfrdhorhhgpdhrtghpthhtohepjhhovgesshgrlhho figvhidrnhgvth
X-ME-Proxy: <xmx:vT0LaTd75A5m70U05VdWrEu01Jbwz_sQnHH8LkCWef6ap6PiC3ZpIg> <xmx:vT0LaQ9kes_kqw5EAHiQUbKOSYF5rHF9WYSnrGLBgTs1T3-URD1Dgw> <xmx:vT0LafmPN_cZo3cRk2mllVMW1wfV_nsqG6MVxt9rDcxvDznZHbFybw> <xmx:vT0LaS-EH-AKgYNdRcbLygYykWYJKRIF7F52RT4Q9iC0tXBY4S2ZNA> <xmx:vj0Lab417I-zlsz3skfzYuawFe_9O9byxRIdM2EzVSlTelUCHXjdI0TN>
Feedback-ID: i2e91459c:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 8FAEE700063; Wed, 5 Nov 2025 07:06:21 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: AtoMDPlT0Y8J
Date: Wed, 05 Nov 2025 13:05:59 +0100
From: Filippo Valsorda <filippo@ml.filippo.io>
To: "Bellebaum, Thomas" <thomas.bellebaum=40aisec.fraunhofer.de@dmarc.ietf.org>, "joe@salowey.net" <joe@salowey.net>, "tls@ietf.org" <tls@ietf.org>
Message-Id: <0f353e98-3a8b-492b-8792-ee5f203a38e1@app.fastmail.com>
In-Reply-To: <0bb9483f1bef258d67d543c300b1035fbca4680a.camel@aisec.fraunhofer.de>
References: <CAOgPGoDsX09SEUXr+Tq_m_5bs+erCLagSGMrAVohBRMqOkAtRQ@mail.gmail.com> <0bb9483f1bef258d67d543c300b1035fbca4680a.camel@aisec.fraunhofer.de>
Content-Type: multipart/alternative; boundary="679b65a696d24e51b03567de7a43500d"
Message-ID-Hash: 67YXPVUDWPIDPKTSMYWLADXCWBJ7OO3I
X-Message-ID-Hash: 67YXPVUDWPIDPKTSMYWLADXCWBJ7OO3I
X-MailFrom: filippo@ml.filippo.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_fV3FvR8ngVTIzdB6JQjkF_YLP4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
2025-11-05 09:15 GMT+01:00 Bellebaum, Thomas <thomas.bellebaum=40aisec.fraunhofer.de@dmarc.ietf.org>: > > > added to the TLS registry as X25519Kyber768Draft00 (25497) and > > > SecP256r1Kyber768Draft00 (25498). This document obsoletes these entries. > > > IANA is instructed to modify the recommended field to 'D' and update the > > > reference to this [ this RFC ]. The comment fields for 25497 and 25498 are > > > updated to "obsoleted by [ this RFC ]" > > To be clear: We are not freeing the registry from these entries, but just warn against interop problems because everyone is supposed to use the new code points? > > So the WG rejects "D" as a means to warn against non-hybrids with some resoning that D is only "for weak cryptographic algorithms" [1], and would group it "with NULL ciphers, RC4, DES, EXPORT ciphers, MD5, etc" [2]. > Yet, for some reason we are more flexible here? The full quote from https://www.ietf.org/archive/id/draft-ietf-tls-rfc8447bis-15.html#section-3, linked at from [1], is "*This marking could be used to identify mechanisms that might result in problems if they are used, such as a weak cryptographic algorithm or a mechanism that might cause interoperability problems in deployment.*" so yeah: "NULL ciphers, RC4, DES, EXPORT ciphers, MD5, etc" are the former, this is the latter, and pure PQ algorithms are neither. Anyway, I support this change. (I don't think the track of a document ever had any impact whatsoever on my work, so why not.) > Normally I would welcome the above measures, but the picture it paints is that there are already some hybrids with "D" yet there are non-hybrids with "N", so "_surely_ hybrids are less safe", which (putting aside the important technical debate on this) is definitely not true for reasons of code point allocation. > > I oppose this change until the comment fields are made more descriptive. Something like "Concluded experiment, refer to [ new equivalent code point ] for standard ML-KEM" would suffice. > > -- TBB > > [1] https://mailarchive.ietf.org/arch/msg/tls/bULX8Y0mPdmW5_d5Q5VTdupR4nY/ > [2] https://youtu.be/zTAuEx9Otys?si=5hllRBXbjkkG1E8o&t=1909 > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > > > *Attachments:* > • smime.p7s
- [TLS] Working group last call for the deprecation… Joseph Salowey
- [TLS] Re: Working group last call for the depreca… Salz, Rich
- [TLS] Re: [EXTERNAL] Working group last call for … Andrei Popov
- [TLS] Re: [EXTERNAL] Working group last call for … Eric Rescorla
- [TLS] Re: Working group last call for the depreca… Kris Kwiatkowski
- [TLS] Re: Working group last call for the depreca… Yaroslav Rosomakho
- [TLS] Re: Working group last call for the depreca… Kaduk, Ben
- [TLS] Re: Working group last call for the depreca… Watson Ladd
- [TLS] Re: Working group last call for the depreca… Kampanakis, Panos
- [TLS] Re: Working group last call for the depreca… Bellebaum, Thomas
- [TLS] Re: Working group last call for the depreca… Bas Westerbaan
- [TLS] Re: Working group last call for the depreca… Viktor Dukhovni
- [TLS] Re: Working group last call for the depreca… Peter Gutmann
- [TLS] Re: Working group last call for the depreca… John Mattsson
- [TLS] Re: Working group last call for the depreca… Bellebaum, Thomas
- [TLS] Re: Working group last call for the depreca… Eric Rescorla
- [TLS] Re: Working group last call for the depreca… Filippo Valsorda
- [TLS] Re: Working group last call for the depreca… Joseph Salowey