IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

"D. J. Bernstein" <djb@cr.yp.to> Tue, 25 November 2025 08:05 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CCCB4900F8BE for <tls@mail2.ietf.org>; Tue, 25 Nov 2025 00:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjcYwI1bGVJ2 for <tls@mail2.ietf.org>; Tue, 25 Nov 2025 00:05:44 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 4210E900F8B6 for <tls@ietf.org>; Tue, 25 Nov 2025 00:05:44 -0800 (PST)
Received: (qmail 3764827 invoked by uid 1010); 25 Nov 2025 08:05:43 -0000
Received: from unknown (unknown) by unknown with QMTP; 25 Nov 2025 08:05:43 -0000
Received: (qmail 273156 invoked by uid 1000); 25 Nov 2025 08:05:30 -0000
Date: Tue, 25 Nov 2025 08:05:30 -0000
Message-ID: <20251125080530.273154.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
Mail-Followup-To: draft-ietf-tls-mlkem@ietf.org, tls-chairs@ietf.org, tls@ietf.org
In-Reply-To: <a49c347c-ccb0-42c5-808b-a3f49455858e@app.fastmail.com>
Message-ID-Hash: D6MTIAX5JLUJC4QAWWSLRM24H34Z5L2V
X-Message-ID-Hash: D6MTIAX5JLUJC4QAWWSLRM24H34Z5L2V
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cEQh2NFSx_UjuxxwlrKojGArwr8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> implementers can make their own choices

This document was introduced in pursuit of "CNSA 2.0 compliance". A
Cisco employee wrote "that's what they're willing to buy. Hence, Cisco
will implement it". An NSA employee wrote (on LAMPS) "As the CNSA 2.0
profiles should make clear, we are looking for products that support
/standalone/ ML-DSA-87 and /standalone/ ML-KEM-1024. If there is one
vendor that produces one product that complies, then that is the product
that goes on the compliance list and is approved for use. Our
interactions with vendors suggests that this won't be a problem in most
cases."

These compliance arguments sound to me like very much the opposite of
implementors making their own choices.

What's really fascinating about this situation is that all of these
compliance claims are contradicted by an official NSA statement

    https://web.archive.org/web/20250827175413/https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF

saying that "hybrid solutions may be allowed or required due to protocol
standards". If the WG standardizes ECC+PQ and refuses any endorsement of
non-hybrid PQ, what exactly is the supposed compliance problem?

There would be a clear compliance argument if, hypothetically, NSA were
to suddenly announce that it will use its market-warping power to force
non-hybrid PQ _even if this violates standards_. But I think this would
be a public-relations problem for NSA. Instead NSA's official position
is that "hybrid solutions may be allowed or required due to protocol
standards". The hints to the contrary are coming _unofficially_ from
some NSA employees, without the organization taking responsibility.

---D. J. Bernstein


===== NOTICES =====

This document may not be modified, and derivative works of it may not be
created, and it may not be published except as an Internet-Draft. (That
sentence is the official language from IETF's "Legend Instructions" for
the situation that "the Contributor does not wish to allow modifications
nor to allow publication as an RFC". I'm fine with redistribution of
copies of this document; the issue is with modification. Legend language
also appears in, e.g., RFC 5831. For further background on the relevant
IETF rules, see https://cr.yp.to/2025/20251024-rules.pdf.)

v2.37.1 | Report a Bug | By Email | System Status