[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

Russ Housley <housley@vigilsec.com> Fri, 10 April 2026 15:18 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 18C7DD98E619 for <tls@mail2.ietf.org>; Fri, 10 Apr 2026 08:18:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775834284; bh=kGIXGHBCH/MCUBJFT7uEMeOKIrb0EtzO1/SROX1GMd0=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=KGNY2zbJGzD7dXo31vxP6UOW0nHWGP4uDokEa87CCC4VNIgsGkTfDQWoM8E2nsdDi iWGqDj/0+faAcxtJ7DvvKsqRR3wYL4H8311gBPX2Boh4E4Ei8bIwKg5Jw4m/fRy2jj oOFxBJK7Gzy44FkbF/AxOyHGny7a9pxVn47ucsBk=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2aLKC3Sp6uD for <tls@mail2.ietf.org>; Fri, 10 Apr 2026 08:18:03 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 60E45D98E612 for <tls@ietf.org>; Fri, 10 Apr 2026 08:18:03 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 332371A1D4E; Fri, 10 Apr 2026 11:18:03 -0400 (EDT)
Received: from smtpclient.apple (pool-96-255-71-95.washdc.fios.verizon.net [96.255.71.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id E4C501A1DC2; Fri, 10 Apr 2026 11:18:02 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <21576DD9-F23F-41F7-B4DF-7BFC3D454C7C@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D7BBE2BD-2FD0-4726-B42D-BCFCFCC31A60"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.21\))
Date: Fri, 10 Apr 2026 11:17:52 -0400
In-Reply-To: <PA0P264MB692528499FBBD7EDD29B71C2B6592@PA0P264MB6925.FRAP264.PROD.OUTLOOK.COM>
To: Daniel Van Geest <daniel.vangeest@cryptonext-security.com>
References: <16CF0FDA-7263-461A-9F2B-D37DBEAF5DD9@sn3rd.com> <PA0P264MB692528499FBBD7EDD29B71C2B6592@PA0P264MB6925.FRAP264.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3864.400.21)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:message-id:content-type:mime-version:subject:date:in-reply-to:cc:to:references; s=pair-202402141609; bh=VcxQS+6vnHsko9WmEVdn+0iHFpPg8TM9dLfXRcL0u6g=; b=QAcfqj5qRYV639O07DjPsAsKoxBFpJeNZ0DlU/9RircwnmlZawnmYibGSUtQWz0Yo7TrXhtyfN7vXjZ8qIn8Y+glOrpx40uxf2EuwdjsY1z4i2YO7bJzYWHyjRqv+Uf27f3EEtkmzr9wIUG4YWMXl7I2kS0Q8J65IXCyqOKKU/ShdOJR3Izft0CeHYeOtbeWi6jQEc7k3QA63HtvRinndekVDelt8BeMGFtkUyBMcA+z38KGhdnS5o+GNJEYvmu/QioHTeTGzcxOe6abuq3qCJOiZkvAlOH9AyW7AqRH5xPxkzOqo41CMiBT7Zv3ST6SIZ+1QScMMEP4L8E0pJFZPQ==
X-Scanned-By: mailmunge 3.09
Message-ID-Hash: HQRXMEV7CBBO3UP32MN5DN6G6LCQGNF7
X-Message-ID-Hash: HQRXMEV7CBBO3UP32MN5DN6G6LCQGNF7
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dXogYUnBr2poFtVZlQl4P20gQVA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

This is a nice improvement.  I agree,

Russ


> On Apr 9, 2026, at 11:20 PM, Daniel Van Geest <daniel.vangeest=40cryptonext-security.com@dmarc.ietf.org> wrote:
> 
> I have read the draft.
> 
> I have one pedantic request:
> 
> 3.2.  Handshake signature
> 
>    When one of those SignatureScheme values is used in a
>    CertificateVerify message, then the signature MUST be computed and
>    verified as specified in Section 4.4.3 of [RFC8446], and the
>    corresponding end-entity certificate MUST use the corresponding
>    AlgorithmIdentifier from Table 1.
> 
> The corresponding end-entity certificate is using the corresponding AlgorithmIdentifier **in the SubjectPublicKeyInfo** (because whether it's used as the signatureAlgorithm is orthogonal to the handshake signature), but I think this text should be explicit.
> 
> I suppose this same comment applies to the heading row of Table 1, "Certificate AlgorithmIdentifier" could be "Certificate SPKI AlgorithmIdentifier".
> 
> ML-DSA uses the same OID for public keys as for signature algorithms, so it is important to specify which is being referred to.
> 
> Apart from this, I think the draft is ready for publication.
> 
> Daniel
> 
> From: Sean Turner <sean@sn3rd.com <mailto:sean@sn3rd.com>>
> Sent: Thursday, April 9, 2026 8:30 PM
> To: TLS List <tls@ietf.org <mailto:tls@ietf.org>>
> Subject: [TLS] Working Group Last Call for Use of ML-DSA in TLS 1.3 
> 
> This is the working group last call for Use of ML-DSA in TLS 1.3. Please review draft-ietf-tls-mldsa [1] and reply to this thread indicating if you think it is ready for publication or not. If you do not think it is ready please indicate why. This call will end on April 23, 2026.
> 
> REMINDER: If you have not done so recently, review the TLS WG's Mail List Procedures; see [2].
> 
> The Chairs,
> Deirdre, Joe, and Sean
> 
> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-mldsa/
> [2] https://mailarchive.ietf.org/arch/msg/tls/ucdImHExlbOf4Q3BCG81gjzi2xE/
> 
> _______________________________________________
> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
> To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>
> _______________________________________________
> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
> To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>