IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Fri, 28 November 2025 23:30 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5ABB39241AD8 for <tls@mail2.ietf.org>; Fri, 28 Nov 2025 15:30:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQrmqXwSdppc for <tls@mail2.ietf.org>; Fri, 28 Nov 2025 15:30:21 -0800 (PST)
Received: from mailout4.zih.tu-dresden.de (mailout4.zih.tu-dresden.de [141.30.67.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E951B9241AC6 for <tls@ietf.org>; Fri, 28 Nov 2025 15:30:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:From:References:To: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=OqfNEY/UQUdrItHrXQzlJdB/uSqKXLtSZRXPl9fcYyk=; b=I9OG6v6e4/LNkvSgxGHEFmR0+X tCIRzd251z7LzpLY8nmeHMocuwgCqPK1Hf0rLMavRQwW6xQSdEFCRV2Fp3i/JCR6cutPMa8s/diKS FKzVjpL+CwOlOC2bJsqBsNZJPdcUoAnCJjoBdKGAJSVNAhFY3PBJx+cggrFq/M16KRBQNakgdp0EJ cVTZfoFbCH674bfTlSypmx6wOX6QON47lu3a/K13KRhSaUQhLNnBJL1aNf/Y6+FugtKpjuvpvJuqU 65UHsx7nfx36OIFi4bMGa3hSJlKzFWwjjIjAJmn66BOD8Kl32n/m7xdw4AY6tiSpzVfKuGHe4m5Gt 8rniKhKQ==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout4.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1vP7uu-009rrD-3Z; Sat, 29 Nov 2025 00:30:20 +0100
Received: from [10.12.5.228] (141.76.13.165) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Sat, 29 Nov 2025 00:30:17 +0100
Message-ID: <c3511e79-7fdc-4006-a6a5-f0b74645590f@tu-dresden.de>
Date: Sat, 29 Nov 2025 00:30:15 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Eric Rescorla <ekr@rtfm.com>, tls@ietf.org
References: <CABcZeBNNsGEKSMcAyfnTyxCZLXxsBZT-u0adtn+5KyPMKm8wNw@mail.gmail.com> <20251128045939.466639.qmail@cr.yp.to> <CABcZeBO=JVUgHNph=yrv9ocTPn6Xd5xME=v=VAy-GiOaLgsihA@mail.gmail.com>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <CABcZeBO=JVUgHNph=yrv9ocTPn6Xd5xME=v=VAy-GiOaLgsihA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000601010406070906000409"
X-ClientProxiedBy: msx-t421.msx.ad.zih.tu-dresden.de (172.26.35.138) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout4.zih.tu-dresden.de
Message-ID-Hash: BMBOLKQJ3NYQRF3ZSJIWH4F5JH4BZ6IG
X-Message-ID-Hash: BMBOLKQJ3NYQRF3ZSJIWH4F5JH4BZ6IG
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aKMz3Feqie9Hj5Pz_fSs0awJQHs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

FWIW: Everything Ekr is saying below sounds reasonable to me. In 
particular, I also believe mixing and matching definitions from two very 
different SDOs can only lead to more ambiguities.

Also, in the thread, Ekr has mentioned twice that MTI is not super 
important. I have some difficulty following D. J. Bernstein but as far 
as I understand, I haven't seen any clear response to that (sincere 
apologies if I have missed/misunderstood something).

Assuming this is somehow super important: To resolve this and move on 
(WGLC ended 2 days ago), IMHO we could possibly have a short draft 
defining "application profile standard" and clarifying how the WG 
interprets it and the caveats around that. I volunteer to create an 
initial draft based on what I understood from Ekr and John. That draft 
would probably save us all some time.

D. J. Bernstein, could you please clarify if that would address your 
concern? Appreciate a concise (ideally binary) answer. If not, could you 
please tell precisely and concisely what would address your concern?

-Usama

On 28.11.25 22:04, Eric Rescorla wrote:
> I'm not sure I agree with that interpretation of the situation in
> ETSI, but I also don't think it's useful to try to import a definition
> of "profile" from another SDO with different practices, so I don't
> see much point in debating what is happening in ETSI.
>
>
> On the text itself, we have:
>
>    In the absence of an application profile standard specifying
>    otherwise:
>
>    A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256
>    [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384
>    [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see
>    Appendix B.4).
>
>    A TLS-compliant application MUST support digital signatures with
>    rsa_pkcs1_sha256 (for certificates), rsa_pss_rsae_sha256 (for
>    CertificateVerify and certificates), and ecdsa_secp256r1_sha256.  A
>    TLS-compliant application MUST support key exchange with secp256r1
>    (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748].
>
> I think the text makes clear that an "application profile standard"
> can override the following requirements, but all those requirements do
> is require you to do things, so the only way to override the
> requirements is to *not* require you to do things. Even without the
> prefatory text, applications that use TLS could impose new
> requirements for the use of TLS with those applications.[0]
>
> WRT to the hypothetical example you propose: I think a WG specifying
> "TLS over X" could in fact make X25519 the requirement for "TLS over
> X" but not for TLS generally (this is the meaning of "application
> profile" in this context). Indeed, that's what the HTTP/2 example I
> gave does, except replacing TLS_RSA_WITH_AES_128_CBC_SHA with
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for use with HTTP/2.  I agree
> with you that the TLS WG possibly would not have agreed to change the
> MTI generally for TLS 1.2.  In general, it's hard to change MTIs for
> existing protocols because that can put preexisting implementations in
> a state of noncompliance, albeit with the updated
> specification. However, that isn't a problem for new protocol X over
> TLS.
>
> Regardless, I don't think that the HTTP WG required the assent of the
> TLS WG specifically to require a new MTI for HTTP/2, as opposed to TLS
> 1.3 generally, which is what happened here. Rather, what was required
> was IETF Consensus, which gets judged at IETF LC. Of course, if the
> TLS WG was generally opposed, it is unlikely you would have IETF
> Consensus. However, as a practical matter there was significant
> overlap between the HTTP and TLS WGs and the selection of the new
> MTI cipher suite for HTTP/2 matched the direction the TLS WG was
> already going in for TLS 1.3.
>
> -Ekr
>
> [0] Even if I were to concede -- which I don't -- that profiles could
> only "narrow" or "constrain", it's not clear to me that that would
> preclude removing an MTI. After all, forbidding some non-MTI algorithm
> would be narrowing things, so I think it's a matter of interpretation
> whether removing an MTI would be narrowing things.
>

v2.37.1 | Report a Bug | By Email | System Status