IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Eric Rescorla <ekr@rtfm.com> Thu, 27 November 2025 21:29 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D7E8691D495A for <tls@mail2.ietf.org>; Thu, 27 Nov 2025 13:29:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJR9poSw0R3w for <tls@mail2.ietf.org>; Thu, 27 Nov 2025 13:29:38 -0800 (PST)
Received: from mail-yx1-xb130.google.com (mail-yx1-xb130.google.com [IPv6:2607:f8b0:4864:20::b130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D9FF891D4953 for <tls@ietf.org>; Thu, 27 Nov 2025 13:29:38 -0800 (PST)
Received: by mail-yx1-xb130.google.com with SMTP id 956f58d0204a3-6430834244aso951692d50.2 for <tls@ietf.org>; Thu, 27 Nov 2025 13:29:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1764278978; x=1764883778; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=UGsSdYJAEYpw3OvtkKr8vIfYNE0+ncqUZvKxJzYhLdI=; b=QKW1swSnVXq7GpPvPzkekmL9lGgaw59DtiqA2wmbCBJPw3kZy0fY7u/HjoH94RO9Lf OJBxUWiH9THg/anYUgQ18Hnn7Bt+QIYSZedYwtqtqeNsOt1+0nKWO9UdttQnMSxNBpha nO7sFzFnJ/YzJxZZvr8QEoGZWdv8pHVAignSnxcjT3ql0hct1KojgEUYrl9kYC3nQgS1 fg04Ng0neW+NARkiDloLA5ynLgogWijFfDR4xS+t12LFvfAEdewiDERUMDEPLYH9K57d feiaPNbwsb+WNJc8O7nMc72NC8B7zTrKIdi3gMfnB49wK3a3ceVTpinUFLgQTS3cdGF8 od0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764278978; x=1764883778; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UGsSdYJAEYpw3OvtkKr8vIfYNE0+ncqUZvKxJzYhLdI=; b=WRMy2hjo/MKTa22ekG//xDAFVnRZ4JZGtL/2lG8/B3I3LRaFHmLLAgzWMj+emNk3Df w3e0AGT7K0DuNXV2svuCav4A95wRw3nln7vFrf8VFBecF/RE7q3mf/apjfVeX5zmhSbR Nfq5grm5p6KHpQtGN6uYbggN9Ob+0+3UsTDAXuZDlNU6fJtl+maCZHJvz/LOzAjrbk0v VY5QzblMKjbU3xq4e+LbNwnsnjM+ufYZilK5rOJfAcx5tlcVSI/5lvfjzrBJICzZNv0a DYO8wUcAF24KCgVjzqE/cM8zkH6GeL7pQC3GYHP3lGEArwi9SvqR8DoH2a+boBo2/AYh EhnQ==
X-Gm-Message-State: AOJu0YwApFgTR+tmmfDrVWIwCMjf4haJ+MU77/ZFIohvVV9cJzCrt9Dd U0IMlHXaS3xU2WJ0BWbzYS+gCdRdkCEUUEOTOZxm9b+V0R/EoEIynun0sloaU52EMhViRddV19z nRsi39RjMjIAMVVVykM65s7F4IXJYCQgqpGK+leyTlEprppOdj/diZa4=
X-Gm-Gg: ASbGncuCdMPvhcdDEz6k6M6UwJftKgSIxLSncbs1yIp1ARG1KvpG0rdpIGfDLAdaeQs yx5AGzVK9f1iD9nOWJ9ijwzOebdC4+HAsaJ/qSikxOlydcTZG8R+ncUIcsTpLwia+l+/V9y26nW LCHx0pB5YiAv3/qgCJPlnAIbPojV6y6Y2OsGi2bPOpMW8+lsNnQzaNi8/o0pkOgZ+DpwLmw+Fgx JJxG1GXhXYUArLHXI9vNKGAEXrhIfkLHxdbgRQxR5sodOYWJnm+DolIZgkIdAHrxXg5TauNZM39 U/wdY0pvQQAxdF04wEGdVt8yXf2paAydmcL0mLotPClaz82EpzMGw/XWKkV4Zmh/Bk8H7HkEpWq KkAQIpZGqEw==
X-Google-Smtp-Source: AGHT+IEpErc3iammwbQpZtVokAlZ440+HuRRjTo0ALvCWQ9U4IvoacmTinsWghUGNE/wOKYlr9KZYYda+S6HpDeHYLg=
X-Received: by 2002:a05:690e:8c5:b0:63f:bca7:ffb2 with SMTP id 956f58d0204a3-64329334ac7mr7022071d50.33.1764278977843; Thu, 27 Nov 2025 13:29:37 -0800 (PST)
MIME-Version: 1.0
References: <9c237f425c0b1ebccf099c47a8badfcf41eb2ef0.camel@aisec.fraunhofer.de> <20251127194517.439400.qmail@cr.yp.to>
In-Reply-To: <20251127194517.439400.qmail@cr.yp.to>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 27 Nov 2025 13:29:01 -0800
X-Gm-Features: AWmQ_bn8s-bnfDeJKXds1FqL4Q7U4OjzSwDZ1yOaesRsWlGUhKwYYIEagOIxqAQ
Message-ID: <CABcZeBNNsGEKSMcAyfnTyxCZLXxsBZT-u0adtn+5KyPMKm8wNw@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c2660306449a3546"
Message-ID-Hash: N6ZTWZ3UVEADZXNQ5SB3AHRY23GWQ52M
X-Message-ID-Hash: N6ZTWZ3UVEADZXNQ5SB3AHRY23GWQ52M
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aKH2eWtnoGVAWpq8XyZE-zJNAz8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

In this context I generally agree that "application profile" refers to
an IETF standards track document describing the use of TLS with some
other protocol.

If I understand correctly, you're arguing that a profile couldn't
remove an MTI requirement or substitute a different MTI. I think the
text of RFC 8446 fairly clearly indicates otherwise:

   In the absence of an application profile standard specifying
   otherwise:

   ...

   A TLS-compliant application MUST support digital signatures with
   rsa_pkcs1_sha256 (for certificates), rsa_pss_rsae_sha256 (for
   CertificateVerify and certificates), and ecdsa_secp256r1_sha256.  A
   TLS-compliant application MUST support key exchange with secp256r1
   (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748].

This text doesn't come with any restrictions on what an application
profile can do, so I think the best interpretation is that it can
modify, replace, or remove any of these requirements.  As a concrete
example, RFC 9113 (HTTP/2) explicitly overrides the RFC 5246 MTIs in
Section 9.2.2:

    A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the
    prohibited cipher suites listed in Appendix A.

    ...

    The list of prohibited cipher suites includes the cipher suite that
    TLS 1.2 makes mandatory, which means that TLS 1.2 deployments could
    have non-intersecting sets of permitted cipher suites. To avoid this
    problem, which causes TLS handshake failures, deployments of HTTP/2
    that use TLS 1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    [TLS-ECDHE] with the P-256 elliptic curve [RFC8422].

Moreover, this interpretation makes sense in the context of
interoperability, which is mostly between TLS-using applications, not
between TLS implementations in a vacuum. As long as the application
profile provides an adequate set of MTIs, then application
implementations will be able to successfully interoperate.

-Ekr















On Thu, Nov 27, 2025 at 11:45 AM D. J. Bernstein <djb@cr.yp.to> wrote:

> Trimming to tls@ietf.org since the last-call period has ended.
>
> Muhammad Usama Sardar writes:
> > If any one can write such profiles, then the whole idea of MTI
> > becomes questionable to me. That is, I could write my own profile and
> say I
> > am still compliant with RFC 8446.
>
> Indeed, such permission wouldn't make any sense. MTI requirements are
> critical protocol requirements for ensuring interoperability, so I'm
> baffled at the idea that implementors are allowed to ignore them. (Would
> the TLS-LTS "profile" become part of IETF's TLS if the author sticks the
> word "standard" on top of the document and posts the result somewhere?)
>
> Pasi Eronen explained the actual intent of the wording on list in 2006:
> "The 'application profile specifications' mentioned in Sections 5.2 and
> 5.4 were intended to specify how to *use* the RFC4279 ciphersuites to
> secure some particular application/service/higher-layer-protocol,
> without modifying anything in TLS. (In other words, something like RFC
> 2818 or 4261, which are for certificate-based ciphersuites)"
>
> This doesn't directly answer your question about authority (I would
> think that the word "standard" in an RFC means "IETF standard" when the
> text doesn't explicitly allow non-IETF standards), but "use ... without
> modifying anything in TLS" says that this is making selections _within_
> the allowed options, not making exceptions.
>
> To me this is what the word "profile" means in a technical context, so I
> don't agree that a more permissive notion matches the text of RFC 8446.
>
> ---D. J. Bernstein
>
>
> ===== NOTICES =====
>
> This document may not be modified, and derivative works of it may not be
> created, and it may not be published except as an Internet-Draft. (That
> sentence is the official language from IETF's "Legend Instructions" for
> the situation that "the Contributor does not wish to allow modifications
> nor to allow publication as an RFC". I'm fine with redistribution of
> copies of this document; the issue is with modification. Legend language
> also appears in, e.g., RFC 5831. For further background on the relevant
> IETF rules, see https://cr.yp.to/2025/20251024-rules.pdf.)
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.37.1 | Report a Bug | By Email | System Status