[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

Joshua <joshua@marionberry.net> Mon, 13 April 2026 04:15 UTC

Return-Path: <joshua@marionberry.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A6735DAFBCC9 for <tls@mail2.ietf.org>; Sun, 12 Apr 2026 21:15:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776053750; bh=aSt/W9Xcv+yfSaxYF1wOMz0pquiN1Og/ginI+qOgIMY=; h=Date:To:From:Cc:Subject:In-Reply-To:References; b=ckJtFA8NVh1rt++4of1w7e0aWm+ptmETwmPB9ROZ53Rm7NhxhOp9PrHKVcmzyfLA4 oAyULjQKfDRMTnTnQgcSKve6xFwIBG3VBpN95vUe3NU4OQxC8S9aGPbzzgjk7fAf/k WOWj9HLU7fbqsE6/GMs1WFWTvCIO+C/RK061xcfw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=marionberry.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbLEBE0r3H9U for <tls@mail2.ietf.org>; Sun, 12 Apr 2026 21:15:49 -0700 (PDT)
Received: from mail-24420.protonmail.ch (mail-24420.protonmail.ch [109.224.244.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7FED9DAFBCB9 for <tls@ietf.org>; Sun, 12 Apr 2026 21:15:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marionberry.net; s=protonmail; t=1776053740; x=1776312940; bh=PZhtVuZkM38j7ur+XEp7FZpMlKRCaCvOrHYtUCrsf6A=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=GB2NSuaWJyXSB/DblVLZANB2GrT4HftRbR1/ixgqlcHDnL6ZgfJsptf7K+UWW70AS xPvYZ9s3/zbaDBazeIgq1P4zrKnC1X8QorgNWQV251a58xJd/IfndTfoszrhmkXkpf G7Lyu7SlcNhP0OyrdVJRC7c5Z/PaOcegBnuJf9FooUHNlYiq0i0vs/9DZem8tlfqD1 rlXyHs32+vA4h2sPpUs4gKOlWqRw73iusIpvUTmi8n+VPYyz9yitlUeHSnshe4FLW0 tneEJNJFEFiBPyHEi3dqtJrPWvQVkaaeEEUmMXy+MdYo7RIRZ8gkyw12X+oE6bFzUu 1x7GCrAHd3Byw==
Date: Mon, 13 Apr 2026 04:15:34 +0000
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
From: Joshua <joshua@marionberry.net>
Message-ID: <tXWKRV8kqdaOzgP3UtMuBOpN65WlHDw5JlxyIHqqqLTkrsYGVTd7wIjKvPFcgFp3Rv-2p2dW8cMrZRlS7VdVL8ble3RHKQw6eBoS_h4vVNs=@marionberry.net>
In-Reply-To: <a0060c9e-d791-4501-a534-bb0cde970df3@tu-dresden.de>
References: <CAMjbhoWwvfkfScpbf4-5PBzk__qb+6M4ZzAOba64kk9aXBba5g@mail.gmail.com> <CABcZeBO59jwCA=vKiJ=QZaU8rPJxKv_WwFGOTot0jR+hpiFuLQ@mail.gmail.com> <43fd169d-d280-40dd-9d2c-311040bed4ad@tu-dresden.de> <CABcZeBMF=GXHY9syqbh0ir33=MxXHpbz5jpt5p8_YNo8yNmmdA@mail.gmail.com> <6cf2c9d5-3846-4685-9615-0de2195b6e15@tu-dresden.de> <CABcZeBPU2th2e1Dmp3dd==-K9oZE9kJASYBwCUQPc4EzQYdpuA@mail.gmail.com> <8618f27a-84ae-418a-8eaa-b6530bb6fc09@tu-dresden.de> <aduzLrLPhev1nFR3@LK-Perkele-VII2.locald> <a0060c9e-d791-4501-a534-bb0cde970df3@tu-dresden.de>
Feedback-ID: 131523398:user:proton
X-Pm-Message-ID: 89086be80a39909d863fa032622fdb5b0d95b9e6
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------eb10d7198f7cab3a3747b339d0d36593935b9394af26a0db89a7f49e679c4f21"; charset="utf-8"
Message-ID-Hash: YFWJEHCNAOZ5DVRQHVSVVNKFBKBB5KLI
X-Message-ID-Hash: YFWJEHCNAOZ5DVRQHVSVVNKFBKBB5KLI
X-MailFrom: joshua@marionberry.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c_7K-XCPlsQmj9M7XrGCHcbANto>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> I believe it depends on the threat model. In [0], I tried to explain 

> the threat model industry has got in the Confidential Computing 

> Consortium (CCC) and I believe deterministic signing puts most of the 

> work at stake. It would be helpful to understand if you disagree with 

> [0] and have a different threat model in mind.

I mean, I agree that deterministic signing can be risky, but in the case
of TLS would it not also require a fault in the RNG for a server to re-
sign the exact same plaintext? (eg, it would require a repeat of the
server's random value)

The threat model the CCC has is that key extraction cannot be allowed for
signatures of any arbitrary plaintext, whereas in TLS allowing signatures
of arbitrary plaintext to be generated in the first place would be an 

extreme weakness. Should a fault occur in deterministic signing, and a
re-sign would immediately leak the private key, it would require a second
(arguably more catastrophic) fault in TLS to actually cause that re-sign
to take place.

Best,
Joshua Nabors

On Sunday, April 12th, 2026 at 1:40 PM, Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> wrote:

> Hi Ilari,
> 

> On 12.04.26 16:58, Ilari Liusvaara wrote:
> 

> > On Sun, Apr 12, 2026 at 01:51:58PM +0200, Muhammad Usama Sardar wrote:
> > 

> > > In particular, say you are an implementer used to reading IETF documents and
> > > not NIST documents. Security considerations being offloaded to NIST document
> > > is an additional burden for you. But let's put that aside. For your
> > > implementation, would you interpret that text as SHOULD NOT or MUST NOT in
> > > IETF sense? How would you resolve this ambiguity?
> > 

> > It is clearly SHOULD NOT.
> 

> Thanks. This confirms my concern in the very first email.
> 

> > > And I believe this ambiguity has significant high-stakes impact. Say you
> > > manage to resolve it as SHOULD NOT: All confidential computing solutions are
> > > /almost exclusively/ based on TLS protocol. Would you let attacks like
> > > BadRAM, TEE.fail and wiretap.fail continue to be exploited? To me, this
> > > seems like a disservice to the community, given a demonstrated history of
> > > exploited attacks.
> > 

> > Randomized signing does not help there.
> 

> I believe it depends on the threat model. In [0], I tried to explain the threat model industry has got in the Confidential Computing Consortium (CCC) and I believe deterministic signing puts most of the work at stake. It would be helpful to understand if you disagree with [0] and have a different threat model in mind.
> 

> > Furthemore, things like BadRAM, TEE.fail and wiretap.fail are far from
> > the worst threats.
> 

> To the best of my current knowledge, understanding, and belief, the ones I have mentioned are the worst threats as of today, in the context of Confidential Computing. So may I kindly ask you to share at least a few of those "worst threats" and help to understand the criteria for judging the severity of threats? Thank you.
> 

> IIUC, you are a cryptographer, whereas my background is in formal analysis. We don't have probabilities in our formal models. I am seeking to align my understanding with the threats you are citing.
> 

> >  And the worst threats are becoming even worse...
> 

> FWIW: It applies to everything in security -- and not specifically to confidential computing.
> 

> Best regards,
> 

> -Usama
> 

> [0] https://mailarchive.ietf.org/arch/msg/tls/w9f5MhuGiF75HoNQn1PnL9C-zSk/