IETF Logo Mail Archive

[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

"Salz, Rich" <rsalz@akamai.com> Fri, 10 October 2025 17:47 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DB1A470DE8BA for <tls@mail2.ietf.org>; Fri, 10 Oct 2025 10:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com header.b="DDMeSHQm"; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=akamai365.onmicrosoft.com header.b="Hlr4mKvL"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0Y_Gg0X3zZZ for <tls@mail2.ietf.org>; Fri, 10 Oct 2025 10:47:59 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3E77F70DE8B3 for <tls@ietf.org>; Fri, 10 Oct 2025 10:47:58 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.18.1.2/8.18.1.2) with ESMTP id 59A49hSc021073 for <tls@ietf.org>; Fri, 10 Oct 2025 18:47:56 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=jan2016.eng; bh=QtcGsTYb5B/2WvsQKPegY8 wEqRBnCcDKgs78nlb0LeQ=; b=DDMeSHQmmDdipdUGGC6YqkopMw/KhF617rChBG xbmaQYjYC772SvbitjrRbzH+IT21NdAkHYLJ7EDy11ieYhBQSPrlYyXeApVVXL4J WC34Rv8rFk6gK44CbI1xZx7QzhThmdkGGHKsbSV8NqB1DscSP5KMmo/+zi0vVmBY qRrxb11PsKGpAKSBcb7Z4nlEaJm4kkKYrvqZy8A5o/xFfInNhDpKmi+MFNWTuytJ aDfdHu7cQO93Jo5gS1o0R/w58nvz/EGCp1uf+8ghCniBLeBVLDhPindIEjSEdweH +5VMDyiQhmlt64TP3ri/jck9AryukysClLjx9lMMAXF5/OUw==
Received: from prod-mail-ppoint6 (prod-mail-ppoint6.akamai.com [184.51.33.61]) by m0050093.ppops.net-00190b01. (PPS) with ESMTPS id 49jtuvfhmj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Fri, 10 Oct 2025 18:47:56 +0100 (BST)
Received: from pps.filterd (prod-mail-ppoint6.akamai.com [127.0.0.1]) by prod-mail-ppoint6.akamai.com (8.18.1.2/8.18.1.2) with ESMTP id 59ACDg0A013429 for <tls@ietf.org>; Fri, 10 Oct 2025 13:47:55 -0400
Received: from email.msg.corp.akamai.com ([172.27.91.27]) by prod-mail-ppoint6.akamai.com (PPS) with ESMTPS id 49nv7n09m7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Fri, 10 Oct 2025 13:47:55 -0400
Received: from usma1ex-exedge1.msg.corp.akamai.com (172.27.91.34) by usma1ex-dag4mb8.msg.corp.akamai.com (172.27.91.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.37; Fri, 10 Oct 2025 13:47:54 -0400
Received: from BN1PR07CU003.outbound.protection.outlook.com (184.51.33.212) by usma1ex-exedge1.msg.corp.akamai.com (172.27.91.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.37 via Frontend Transport; Fri, 10 Oct 2025 13:47:54 -0400
Received: from MN2PR17MB4031.namprd17.prod.outlook.com (2603:10b6:208:200::22) by CH4PR17MB7426.namprd17.prod.outlook.com (2603:10b6:610:22b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9203.10; Fri, 10 Oct 2025 17:47:53 +0000
Received: from MN2PR17MB4031.namprd17.prod.outlook.com ([fe80::4082:17d0:7c11:1730]) by MN2PR17MB4031.namprd17.prod.outlook.com ([fe80::4082:17d0:7c11:1730%6]) with mapi id 15.20.9228.005; Fri, 10 Oct 2025 17:47:53 +0000
From: "Salz, Rich" <rsalz@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Thread-Index: AQHcN5ono1sPELaPike3XhGAixQhgLS23PIAgAAF2wCABAq/AIAADsCAgAAlzYCAAAU+gIAATIx9gAAQhwCAAArIAIAAHDCAgAAAsYE=
Date: Fri, 10 Oct 2025 17:47:52 +0000
Message-ID: <MN2PR17MB40310B8903D5D063973C65BFCDEFA@MN2PR17MB4031.namprd17.prod.outlook.com>
References: <CH8PR21MB5484275C3BC970292001CA5B8CEFA@CH8PR21MB5484.namprd21.prod.outlook.com> <20251010160156.115874.qmail@cr.yp.to> <aOlFmQvBYM41p3vT@chardros.imrryr.org>
In-Reply-To: <aOlFmQvBYM41p3vT@chardros.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR17MB4031:EE_|CH4PR17MB7426:EE_
x-ms-office365-filtering-correlation-id: ac70e553-9fd3-491a-f9c1-08de08252327
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|10070799003|366016|1800799024|8096899003|38070700021;
x-microsoft-antispam-message-info: eBGWif26pU2Nzpdnco7XnrKEOuq8zdgpC9USAIZ7N1CgrYI5PQhi6Xj6waMq9T9NXHKfCeRG46CeL8b3VJU7Bb4dtLBW/NnR9PNPcNfYS8rl74Ko5gY+1sGmpdHQWX/v2Eh2YSK2JzWH/u497rVM/o6iF/ywJWNHlAP6VgKROSQfJrqz4T0rcoWa7Ix1x7dkXsxKEJPSGkbvf+uJXWhHgORNme3KMEvKV8HaVGxjZPFWNj+GLn1z24fa0ZlD8r6xkjEkeuEZamFBEURWUO7ZVuwV0iDdP/7JoPDSaenWuSJT+tlQMcLEH8JWKFAuKxFU2aysjcLbWgZmHK/XlecJfYiPUK3+tFKejUnERAWD2a2LVNvi2TiBPMT4AiqLBcPh8+mwW+/6rG78tGwh/uzwf7Oz5QuTxZ0XcZ6xssW6lCmHIq3txo2wcJWrmrVItwgfS7b673LgXvnQH9U1ZKUOUZKXD/MCOBkXsx1NzQMxGNIW/T21dRl0rqEg5pfI2uqhb4LMqmtpSJ3cvNXMxKbMByEtomdV2Q/qKwkW2erbE61LCgeuatnrQ9+1SeU+kFasOFmLVUr4zX1BaDvRoC4WuQMSw+VUi10cyIuxXJCJFPwED6N56MFkuaf2gd8Zd9uVjJo7ZIzCQtuLF8+rWvHviccgJyHpH80Omf45ZLzloedewtk5CdLjN4u/0UpWPqQsP9aF9OJRUBu7Wq7R6B1g2jUKDcVSfgq0Qt6X9I5ZmOI+HeNqKqJTNBqJIO3c81WvSIKcu7Yk/ei3RVoW6bHXA7gu44xNK0F91bcvNyz88UDO4jnjkmRLevQNENyq4xmZH3t9BnQRxE1fHdao2mOr+rruWUxrPSqvhMEmsQ0hXrEXe59uw40Tk6zqx0afbH/VphTyqRQG3PSMyQiJu481cohHjyaol/g35/8RFDW5RRmD3Pt769YAl9PGD/Cg960VNtcQrtcH3Ls1oSGVKvp6YiOR1UeAbguJfEJYLZKp/XXA57T3S08ZHwSGJzHEXPFHAlRezhxToCG8yyjNcjTZpPYc2peR2jXXBK7gpkQdfsx0ggH96m83ElC+5QaVvshomOBWM2OAyVHOKZkv9jEtSs6OG/SzGh0bUalGKW5WZgPtsTgtbRFpDkggzAF6sn6g+Ooa7FVBYRvH1OQ+Je/ZNG4CyeSPNE7c9dGBUjE0+AMtRe2QSRdRg65yuaMV+jFdjngaDWYZhBS4C5ZCsoVWbW+erlovvZd6WmF0geAphO3JwV7tLziJxPa/VoTOAn7X+5Iykj/UsoHLjqwYIgArqM/5FS9yiajPKzEMFxw0S3Af5r6CEDsYqQ76/rWDzBuO2opgfvxaLewC5yetsFDqzzROOVxl2zmk3Z7ePMNeBsDptubs6uwcBtcgq+GP81XpRtKy2RdHlZkavP6P5lfIvlW6Nq4n8RfzZSW6HXGQa5UvorhQhzObhuTi07pwkmQCd5ooFhpzsMS/KYhd8d2LZeX2HFd+Uhy+vLSWw59zfnzWu3d0zgJE7j0BxGdmgjIi
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR17MB4031.namprd17.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(10070799003)(366016)(1800799024)(8096899003)(38070700021);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oOLCszidOTdYgITJSlP4IBTd8XKtN4g44uTNLyUfrZS9bIW0aZRYL76cO8UuP/5mW/jJ3zW+kPRrD4EbmeGvX95AQn7wqhihfS/3fJtMNcuMrBry+0n90qTHUpxPmVhxgXo4n5w18b8lfAAUiHEyz3WSBctbXHi5j+iZKD5agj5lwkHHcvM4WqzczqrYurI69JrtuBGR48oHt/fqE5gz3T9pWA08Qejrxx7NgxhMrtTR7RR2tqx4rdaDCyxkp5cd6lb6rPrd5HTMzeNOAUPTcNG7RLwskgRXlX4oM9tlPq5gmJEPNXo0cNyf6VjYijoUE6MRxR8ezYF+ez2ApxgxGOpk33DqXBZU++2ceLMX8f8/WwjeJcv8p4axQiBt/8bPyPi3wvRjhBf/HdahWhpAJi69fwSHWuenHR+8NGeajk9KzTh2fyvViRq/ri1prQ89cQ4Zgu8pU3SRlStCpwi61w2GKPCyYGo+N00u+OiXVJX7KUuaG5Qsta3u7LDIYem1Onyrz/lOXfMp1kcR3yJa+nwtu+mOR++2gsB7xV9xbQ0+z+x8V+Y7UsrpnlQYRqPX0kuIfu2gMY/4pYfsEnIsBVg8BXXcXKhWJ4BhZhhkKBfxiDaxiXhQFMz/UD98dJjTXb7YI5El9MXydoxdAnIqzdaufpuwXFYphhgSwFCIr6lVsd49ykudRMTyd34iJBsoGO45EXqhrlCnZuA/XbN55ipj/2KNrTQckICGvL+02kS3Xr6852ULSqQv4Fdrsm9605W1c9fb3guxAKq7RIA9eFYLZ2flFymMuZUBOkY+dWEXQ6ZZ72cS+tHqQ6JhKXqNuzZQxjQO6rGBZHJfH5gHlEHMd0K/vqhoEvUcOXJjvw9kICa53kdE4tgpHy6TCXBJiYYPKptaechOxHkQpzCXJxutQujF3kNGxs3M+pan9ilDFZV6+ePk6u6Cb5cF+mbcI/UxVCIlAQgy6ZqBTYPbkJDXeSh6eoJ97cmhEwTbXvSGLv91l/nM+Rj3Awh6WKt16Ug9ccdNokFwezzvpNg3xiO4fYZ7cHMKQDcGwxf03A6H6pZUucOVD5r/kAw4H0GDYwhGA+1+NRNkDiUlF6ce7GlK9iiVdtKrrt8RSdjZAp5e/jPZKAHcMrtEf3enn9cRSRP+ZiBEnGjYyE4ZjBetePDN8kPaeckOOf39QaJS9+Yoiwko4jSxeUd1jc6Ha4Y3H9IVY8MqaaV/0yt4xTMka44WkW6PAMsY6BDrB1HNN4fqwy84SidwmdAaHYEWO6CoJYlLPXKJz3OARbQi44wKNkT4VyaShHpy+CqXQlfTB5o7YHNmjyyx6NAOiunzwD3L+CXM0SmPmVfM3zBQL+jo1RwfcWTGBBM9JLmKREWiWkskA1WqbL0z9zBUt9eN32SWUCP6sQmOKd9HbmcOBdx15yXCzJXeuJKHLCa45uCqWEaVfFxHBnzW9bDqpVSOu0S/zMfnQzApwYL2XBG+eLd0IKUpljJcokrwe+nPLzxJeHzuS4lJH58hxEFDcUXumFwvdVxRr7POPyOirYfEVq7ArJj5mZ8K/twCamehNABleLcOEobKuYBj7u0K0csd3rFDENKz/pSJP7DerepF5ZDEEBFja2L2gpjsdEc+nipptVhlyV8jXjc7U29folRVs7i4d+u9tZT5704WC1k3HaLQxw==
arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=c9XJkXq2nVzQszkaitQw7TplpWMZ9p5AYlb8qCJeQUgT7tD1boSl1MA7czn1+deXsPsF4KelHi0wSSPhcgbTDGnQgZAVCyfpFtAi3kA7OVo0pBuJIr2N03ypAc10LyndflbyZenqW/md5j3qpcMYJMohuTmg5VE8yeb6Y74vAqxnjpqcIbfNcFK/ITiKTl3mGo4fBjXohSl8tZRvCY+S6Fmk2gN0bq6UNT3eGBbNLj4Gkf/8ufXFdimsJGppIv4zmgTwre73mXb+scDGtBQiqwI3HxWAJg1hlei/Fx1+AeVDwqZAWy7zGT3mLYci3wvPQBMsnO1OTZaadCCq4l+v8g==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kPodo/PNmTBFS3WIcfmKMQFAg4BNaJ4Ki7C2MKfwg3g=; b=EGP3Nod2f30KT2zxPTRZKEmr7Y3tUPqQXAOCvNgRJiGACKIYr1+qbZDknVsX4rn4Q6kvglT09IRFCmDjTdIcdhf70+Z2DEnd5tMtHr/wzdlqUnlITnfes0KxxqHeb6mo6z3G7oyKYoDqzB7/rh1kf5MpzXaZoFR5ZkMxmuBR07q9cYxAvmJuezZupGpVGV7Eo5jF/jnjkTx5kTmX7mgVG+md90uA58EzH8rgFMyEjnrJbq4XDwGkKV+9emqTVvI7mYb2QhBUeehOWQUy8GPH46QQz2zslEaRhWuMIxK2t0lX7C6PVsH53AOna3+vV9iUbtdmxgmZIwqi45uSrtxY3Q==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=akamai.com; dmarc=pass action=none header.from=akamai.com; dkim=pass header.d=akamai.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai365.onmicrosoft.com; s=selector1-akamai365-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kPodo/PNmTBFS3WIcfmKMQFAg4BNaJ4Ki7C2MKfwg3g=; b=Hlr4mKvLkD8N/hNxnrezhPYqCv+SY0AO0VX2dCtaAV3+JaZs/ygmuVL83iLSO9L0C6jKTjySGmllLypqPTo33C1UdQYUcbNv4GA7CBnmDhBAVGRj4nwKrnjyf2HWIHgvp2lC3pTtQJlaB1c1DlT7fWYKhKIo97lVBomoO7QeJ1o=
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: MN2PR17MB4031.namprd17.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: ac70e553-9fd3-491a-f9c1-08de08252327
x-ms-exchange-crosstenant-originalarrivaltime: 10 Oct 2025 17:47:52.9275 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 514876bd-5965-4b40-b0c8-e336cf72c743
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: g1gAzKezGM81EdBhzeUZYVHr+8u3hXU8BqxtuqDtWp1bjqCcspUB/4oSuXLoSBHrvhQ77kRVpPeMk/yopCbjQA==
x-ms-exchange-transport-crosstenantheadersstamped: CH4PR17MB7426
x-originatororg: akamai.com
Content-Type: multipart/alternative; boundary="_000_MN2PR17MB40310B8903D5D063973C65BFCDEFAMN2PR17MB4031namp_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-10-10_04,2025-10-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 mlxlogscore=607 malwarescore=0 phishscore=0 adultscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2510020000 definitions=main-2510100101
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMDA0MDAxOSBTYWx0ZWRfXxraI/jQIqLrP L087PYoGNbWMgD12Ldzt22+nlJOlwb76Thj6qd0K9D9uifMWx2YBGSeOradvf/Nx5/jWfu52Ysg +2qDYN8fTmTRfI2llGQu95nnsRxcZVJpIDtl1queiiMWF+jkQCC/kb/5ArFXayrv8KgZQKo4GwA vRy+9r/EEfKKEtoEdBZ4bU15p/QIYqdexv3u9VZzsJkW3HJ059AMi11OcY8CbNm/eof+yRWVtZX pCHsj+TfOz+9Hts6RZfCJVODSHqUQ9UNpWYlY/K+t7Lv4EBYOPYwDVw+vWAze/b8V6FEj4fDivM 2crwgUUQSrjpkGPMKbufjRnUEypV2vOvRlZbywlHxkhxyoLt9KO3FguQUVK/GBzOBsVbeA2SNmf A8qtJXrlyv+ZrM376uBeWoT+vOka8Q==
X-Proofpoint-ORIG-GUID: R-3hXgdqq3peaq9XsidKH-dVR1iWwPWQ
X-Proofpoint-GUID: R-3hXgdqq3peaq9XsidKH-dVR1iWwPWQ
X-Authority-Analysis: v=2.4 cv=c+imgB9l c=1 sm=1 tr=0 ts=68e946cc cx=c_pps a=WPLAOKU3JHlOa4eSsQmUFQ==:117 a=WPLAOKU3JHlOa4eSsQmUFQ==:17 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=x6icFKpwvdMA:10 a=g1y_e2JewP0A:10 a=Y-3JPqK_snqLdUp0X7sA:9 a=CjuIK1q_8ugA:10 a=daNe8-EnDMqUEZlkxxIA:9 a=PibYBC0dTBVUqsle:21 a=_W_S_7VecoQA:10
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-10-10_04,2025-10-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 lowpriorityscore=0 adultscore=0 malwarescore=0 phishscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 spamscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510020000 definitions=main-2510040019
Message-ID-Hash: AIUQABQZ4VPP22V677V7PPYFBIRY27BG
X-Message-ID-Hash: AIUQABQZ4VPP22V677V7PPYFBIRY27BG
X-MailFrom: rsalz@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/alWX7X_tdyK7MjTr9bGxyM7xvbk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

  *
IIRC, rumour has it that those who need a FIPS-validated stack, and have
  *
only an older stack with P-256/P-384 validated, but ML-KEM not yet
  *
validated, can get a validated combination via ML-KEM plus ECDSA, but
  *
not ML-KEM with X25519 or X448.

The NIST rules for hybrid key exchange, which changed a few times, are now as long as one of the two is validated (in either first or second position) they whole exchange is okay. So yes, if you only have P256/384 validated, then you must include that in your hybrid exchange with ML-KEM.

v2.35.0 | Report a Bug | By Email | System Status