IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Thu, 27 November 2025 19:18 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CE37291CD64A; Thu, 27 Nov 2025 11:18:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8N9n4YuPueSd; Thu, 27 Nov 2025 11:18:10 -0800 (PST)
Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0B36F91CD640; Thu, 27 Nov 2025 11:18:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:From:References:CC:To :Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xhpwX6kzDw5Lcm9WhxK5KGcSW7HnMjm4eDYYQf2NaCA=; b=Yub7brHoBg2pQF5r8IW5oACHDX 1WhdjTUzhbbf7c+QwiGsvSaO+/XsoEc775IvkbHJm9onhQvVivh1LQNfxXkDwSs6V/rBCtY1F53hx 4d+g0hIWR7hHr5Ywe7OY4iHhRVCjoBiAnLleHnVpHe27GJhl9HfAWw9zhR1HRnrzl33VZI7I+xiq7 cSHjRpoZ5qcAQJ3QA2btVBmauuImuItpynJVYS/vtTNcoaE1gAehCuPX4CZU0fHzt+c+SURZLmx5I gc8As8t/B2xR6Ri8PxIWIjMnoHK0CuUqWrJKmFuUXGlUIVfiNJ9Z76gKrNxQIDNXyOFTqJLQLO8dk nK1e2cdw==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1vOhVH-00F0Fr-9d; Thu, 27 Nov 2025 20:18:08 +0100
Received: from [10.12.5.228] (141.76.13.165) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Thu, 27 Nov 2025 20:17:49 +0100
Message-ID: <6aff80ef-b5ab-4daf-8606-0abeab43e497@tu-dresden.de>
Date: Thu, 27 Nov 2025 20:17:48 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: John Mattsson <john.mattsson@ericsson.com>, Eric Rescorla <ekr@rtfm.com>
References: <GVXPR07MB96788602130757CA20A7A43B89DFA@GVXPR07MB9678.eurprd07.prod.outlook.com>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <GVXPR07MB96788602130757CA20A7A43B89DFA@GVXPR07MB9678.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000003030102090203000303"
X-ClientProxiedBy: msx-t420.msx.ad.zih.tu-dresden.de (172.26.35.137) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de
Message-ID-Hash: NAJQ7OXLBEPVQA6Y5IISTDCYVRX3DENF
X-Message-ID-Hash: NAJQ7OXLBEPVQA6Y5IISTDCYVRX3DENF
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-tls-mlkem@ietf.org" <draft-ietf-tls-mlkem@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cGVWArNZO-N_r-5u5K8lBoVUitY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On 27.11.25 17:02, John Mattsson wrote:

> Eric Rescorla wrote:
> > What's *not* compliant is if you have an implementation which doesn't
> > support P-256, no matter what other groups it supports.
>
> As I wrote in my response to Bernstein,
Thanks John for writing a separate email. I couldn't follow all these 
lengthy discussions.
> RFC 8446 mandates ECC only when no application profile specifies 
> otherwise.

Looking at starting text of section 9.1, you are right. I guess Ekr's 
implicit assumption for simplicity was that such an "application profile 
standard" does not exist for that specific discussion.

But this raises a new question in my mind: RFC8446bis-14 uses 2x 
"application profile standard" and 2x "application profile" but I don't 
find any definition of that. I am curious who is the /authority/ for 
such "application profile standards". You mention CNSA 1.0, CNSA 2.0 and 
3GPP TLS profile, which make sense to me. But you also mention:

 > Constrained devices, for example, often support only one of secp256r1 
or X25519.

which confuses me. Do we have an exhaustive list of application profile 
standards? If any one can write such profiles, then the whole idea of 
MTI becomes questionable to me. That is, I could write my own profile 
and say I am still compliant with RFC 8446.

> Muhammad Usama Sardar wrote:
> >couple of sentences that basically tell me nothing about why this 
> draft even exists.
> >Specifically, I would like to know more about those users to be able 
> to reach out to them to ask whether they also want attestation.
>
> I agree that the draft should include a more detailed motivation. Some 
> relevant points: [...]
I am in no position to judge your points. But I really hope the WG can 
agree on at least some of that to be added in motivation.
> - Several countries are recommending or requiring standalone ML-KEM. 
> They may be worth contacting to determine whether they are also 
> interested in attestation.

Thanks very much for the links.

I will appreciate if at least one of those which explicitly mentions 
MLKEM was added in motivation section of the draft.

> (That said, my support of publication is still conditioned on that the 
> text in Section 5.1 is completely rewritten or removed)

Is it this one? [0] I have no opinion from PQ perspective but from 
traditional crypto perspective, I agree with your concern on key reuse. 
Intuitively, I would assume the same problems would hold in pure PQ but 
there may be subtleties.

-Usama

[0] https://mailarchive.ietf.org/arch/msg/tls/Wc0tnrJX0AwMnjBspeM3pxCwEoU/

v2.37.1 | Report a Bug | By Email | System Status