IETF Logo Mail Archive

[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

John Mattsson <john.mattsson@ericsson.com> Mon, 20 October 2025 15:27 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7316E7826F91 for <tls@mail2.ietf.org>; Mon, 20 Oct 2025 08:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7bN90dpC2Yi for <tls@mail2.ietf.org>; Mon, 20 Oct 2025 08:27:08 -0700 (PDT)
Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazon11013047.outbound.protection.outlook.com [52.101.72.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CD2817825F10 for <tls@ietf.org>; Mon, 20 Oct 2025 08:21:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FaCob0SpUXE/oykuocDrsVln0oDNOhwzwL2wnMvG09KhZXep8Jd4K0JeYdfSTLtpxvavXoY1RDqStFv7sySIb1/i3XsorRGZcsUvTk4R3i5FPUlElEeujY+waj9+UcXDR8lvt8o5Ivm+sLvCicshf5mKN8EBDjdFOGTKWGbkxo13LLx1vU17lzXTTuehTloEzu3NemUp6Fm8edk9CbyibbqhE3TwvlTqo4yreI8Pmmk9djdGp6bx0eArGO3Mab6e4f/PGWSNZrTA7zuXFkmmsk5k8MbCciYrEhQqZUkenyNqIEiSKb8+gOdNGPn8HeGN7eAqWueL12eVVmU8Fv4YkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=n0w1z/h8s/QlArGkDYUqEu3VuvmnD5THCF2T2UlPxsk=; b=ocX80Qq2iI7B8s9zd91sbf3ALho7j5JMDu0EH7zyiic1zJPoSELUjq52Ch/GsxWRldk8MT6oZubz1scGxOwpPEJ5hlh8FIk5GFJvDtrc+HOQa7ltRAaEFXvvLb2R78rJaYmfneRBAha9BdFw+JoS2vxtWf1PoWvYtg2NxwhSRyWg/QHfrJnx+xf+JLZ5OBZt8cupU2253SzLTEyuZO8yquoifqAtqCsN2r5y46b2/8Lyg1j4SYMya6cJgEpRkDl64KigrXvBLe7yYv2MwTObSmEmhdXxPia0EYulP7yXU8pgg8nnO4SbeTF6DdQ3hFwcHTRgCW9q+3/1mBnW8LGBmQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n0w1z/h8s/QlArGkDYUqEu3VuvmnD5THCF2T2UlPxsk=; b=AIikxs7XRqcULE7A2a++qCryFKbGAy3NwRfsetahdWTWM4dzk6q/+WLKZ28UylrDy1QvYlbXriy2SB6oIZIx2oKLrH/jeo+kudQMe07dqJn7Edn/py4IM0CmQcru00EUr+HJ+GdTMCyGKYW//N6wItccUw6Kypt8HBIk6WV7n6L8g9HfYao/TuwptAbFLRVCUssJRmAJCmXwCiz5sjpyiKqaB9WhSRUA8CDiN3p0n4YcK3YzIXSpt6mw6aBQGhou6A9KXNUZ7pbYqVHT1KgnNOCwfynoagupBvxxmopUrOVsn4k2O5RIkJUtx/XvAQsnIgMMYqkC9A4+SpFNGeJinw==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PAWPR07MB10093.eurprd07.prod.outlook.com (2603:10a6:102:38f::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9228.13; Mon, 20 Oct 2025 15:21:09 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%3]) with mapi id 15.20.9228.015; Mon, 20 Oct 2025 15:21:09 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Thread-Index: AQHcQdPQIktgN5tlQ0Or1D6rUhGj+LTLJH5o
Date: Mon, 20 Oct 2025 15:21:09 +0000
Message-ID: <GVXPR07MB9678EF0EB4C4896E542935F589F5A@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB9678ADD1D3268BB055751EA989F5A@GVXPR07MB9678.eurprd07.prod.outlook.com> <CABcZeBOH289QVSZomDfE8dUK5oB7kM0i_66s3S260WOjyTp4kw@mail.gmail.com> <871pmxip86.fsf@josefsson.org>
In-Reply-To: <871pmxip86.fsf@josefsson.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PAWPR07MB10093:EE_
x-ms-office365-filtering-correlation-id: fd17d813-86ed-482d-3bcc-08de0fec4c2c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|8096899003|7053199007|38070700021|4013099003|4053099003;
x-microsoft-antispam-message-info: 3eypIE/MvY0kHLLi763SNj7V8RSwA0cC/TlZG26hPHaaMNeK3p9BeIbAyAaloJTefaDFDHnZoigbKojJVCRRhDH1uyjYeJlPZr3xQfFlyGcm329XRA0gPIpvUWOyJIzn3bvENCI/GgmZquG1ITD9SYiegqa6i3mm05pY97+vTVMFlihBZdYz86WmR4IJt2GCu5N/OXHsYhCr8VG0gMhFn+a5hxI8ZUA6WyBVNTAoiNc4OFF+Czd6QezBTTkJQSyGE3jOBV81rKlQxEHUtS0FF/1Fcv6X66ffJfiiaEhQUkpjrfTFWT0jlto7Vh+eApyMWY7Ao1rJ9DhZ2YDowTqmXqzogVhHglF658OT5I3XwJRsPmaW1XUzfNUtOnZPce0Fz0SgGSFV9hQ9AfUJb/CwPvvK8KGXPr9K60d3gu4ruBRkPGSJvdjKyVqK66bLa+UJ41ECQTcPlYt4N4Yx3/NNrXUI+aVhzTYyoQOR1le4H16F4U7zjfoy5LJAqEN8SqDmUQqIySDEFQ7sRH9/jC8C5/6K6Ko11e3YsG2912zBmZAAibCBDqiDT6y1etAm/y5+I6iJgoCdt8tHiZV4ubD205gSAsguO+MlqggFQ4yTSxKj4hYuW/K11m/JH40n9gxG4xFqNM4EemG5tCuZhNoB1PtESjJOe6sUh3l0lM2qAzXGCTqY75BuULkuCuTSyldjv64FrUIw+dWoxTlqipJpqTq6rdYSDKLk6BcvQjsrsh0nfX7B3B83i/D7q5+Kqyf5HkUtW/wdDPbvWY66FuflQnbWgUtx5VOxxUldD+lyFiiUQPWVNE8pW8iQ8gDQWRuETDBhnI8G/AqUOcI6Q4h4JUJpNOIU8NcsqEBDgTXdPzlf6iIVfkKEbcNjEdeyhlscekRTgF9HvRTxtxxpkQMqxGwctT+4vQak3pV3X5pkb/S3OEDeuvIGSiLK2+075vlQcKMI8WodFB7b1Y/Dt6WJQqRUgewtdEwgFHu9Hv8MSQ7Eu+O51gB1yY/ygktLsBdGOTnRHFBCYVskNIrVdxIoalHyjHm441nzFhI2/LIudmFv5oGREtCA6OwNyvA1mhqPkhoB1taelTfuyP9579hMuzGRpXnhNedK+MRXoSxnl1ET6vgP8NMXTbjg36aZuMn1aFUV9U7YXKgIrIYpBINxY2woFxdDlTZRQAPy6r/pvLRNIZbYwhrqIpKJeh+3YAj/xgNFZRlm4EFKZVtWH+2IsbwCqbV5TfoEmxsq5KAtuUy9c/XDmFpVpJ5PXCkFbAudunGYrM2mziwendVzBYiVAMgnOMG7A3/yj8SneXgVDyr/XtbQRRLexrKN0zfBnWSGb/JbRjUXwjChDTswd4nzQe1df7Qt+IamQureH6uFZROZNWIGoSdiP1MARfju7WnRrs8puyGSfokSNfsCo4C2JU0h86jOy1DNV65FXGkLOyitdkLf5bOFwFC8TwAnz9GJ
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(8096899003)(7053199007)(38070700021)(4013099003)(4053099003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yME13OBBVodvp4S4p4opBFIYTR/GdrZLlhummvJsfFp6Ss8Y9Bs91adiplEl+SV7cSziMpoRqkCnaVUedXJ6/9o8KykHQuKu4tjxpNFGeFCpJilSGZBwl4LEsEWV7LInVuD8CMemeYZ9PKqJXGxYKTUgJIFoCaJP0GTrGKRA6kU1vS9NsgW3dM3IcGuYWsusDunTC5UgBA9xRmbMoHFQdXfMf9YvotGokmseXy0rnpiQ01P1LWs6c2tj0NNxfzExQjPEgDuRd25uN0whB8M460X8fLZyCBDkbSB6JeNtZ4WAWkMWhfWk3V8SepG8zOIp5CmkBygPCHG6MOryLc4zB4pFSDora2DT5klpS31pmL67ucWNe4aKOuecQWY0EFPj9lEJFQlGFxxuZSBmNG4jUIlOpiD9B7B/U02i2rJlomnH+fisKZ0EUHpqXqn+6EHuxfDoqVxonMxp3azVCxg7Krp1qDQ8DlqZzSweTQv85ZZwF1HkrZQ9RrjqhMn5nnzs80NBLXgD3cvOdcXcw1paCh5NQP8i9F49EZxEpQdGqAalFP6WZZDCDVIqTxdK1OZ3tA7Zu2B3ymzHmDT07MKYX4h9c6S1iGntUrqCHVegCi6twzROkC8741dv7V3k8L6O+ET+8vfxLf8TmXlJ2Ijv41olAicfWLPZ21RBgne9zbY9WElj4JHP2j86ihAJytkb1/TCg5QESVN8eCFmRCpP1dGnYUVavhMQwTecEP2Bljf6yRvaqI9gBB+GnEfxObCX2O/B0BOdYpKTKEDQk/nK+tjsBOzZe7gQmlLhGzbK5u4/oSRMr/b8j3BHfymVmuqJiBK07ZUXxM69kfTvWHjoY07tHyTxjGQJnb7F3G5NUsMaAYaHSl4A6v0BoRIQGDk0AKA+DO+jcCJDeGZ/XN1gg3PBI7lMn5WxPZvELyjj9D8WUoCurvU7ckmYgBPfujB0guN8A+JME1oQj8gKV2AGM/YC+QnRzieu4c+PBPSuwI5tRhg9g9JRvWwpfn4JNhu2y04vwxrSkxwSKHq7+X5o1gYVuIPWO9bf/3aK4C6CbP1uXD6rse7tzQ5Jlq51AZsoDMdgLfI5qd0Xq/wddoT/MWpUvAIFKgZ3Io+9Hp2omJkAgfDNLPcHvy00nkbG7kyL/kEv6dP1aKaZLwSgE2UlsYfx6Ax4tYMVxtaqXu9ytfcyJY8c5wUP3S7oxAkUwcp0iZDypq02iXVmNlMjjL9RuCJ3oDkZOG2hpy5bb4d/Lo5b8guJbqft3g2kB7+gy3fp6uDTHkDJyDtcW0Te3qmk66lTS+nKtKzSfsh7syw2q+Zz/1IMcuko5XRQGG313ULw8VqqZBbJf5Oc0pg7jkl6ijrkumHlFv8Vr/ZTI98l82yGrpdBspw459vd6HUgt4Pds3D0gn4ZxAxw96iztma81PtTr5KV/lVmpVx03gXIeSVV/FKedA7PnEi+JBYqqjwJMzfiZN73vwFRL5w8z64EbrRG7r+G1AZhWM+Bc7ZzaWoOslneh9TZZxcZX+Y9QppZzdPwuqOFF099jtXDSBGwFp0jR0UaPIP4VR/WntkDHfN2mYagPMw+3e9R0FXUFyLc9oa7yPURYTpL//G15cZTpJFrCtrwlFFMzuuYkolKnNo=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_A696778D-ED03-9443-AFAB-C91F70327879_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fd17d813-86ed-482d-3bcc-08de0fec4c2c
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2025 15:21:09.7695 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zlLaro5WcBONPOiaRo8QUGjVHBchYLNtK9jpCnCwk0G4Je/OBs6z/unyEBNHyFggTQE0Bbi+SykRdoc0pRdJaVLYXVGHKymB7vDhz/VPb9I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB10093
Message-ID-Hash: YLLLOB62INZYX34LWF4MLZSNPNRAMAJH
X-Message-ID-Hash: YLLLOB62INZYX34LWF4MLZSNPNRAMAJH
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eKCnZzQ8TGQsjTHbJrkCO2VgNmc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

>Compare the migration away from MD4, MD5, DSA, DES, RC4. 

MD2, MD4, MD5, and RC4 were all horribly broken. DSA and DES were standardized by NIST and have not been broken. The lesson from these examples is: use standardized cryptography, don’t use non-standardized cryptography.

Cheers,
John


On 2025-10-20, 17:11, "Simon Josefsson" <simon=40josefsson.org@dmarc.ietf.org> wrote: 
Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> writes: 



>> *EKR wrote:*>It's purely about whether we think it's reasonable to implement. 

>> 

>> This is the current meaning. RFC8447bis will change the meaning to: 

>> 

>> “This only means that the associated mechanism is fit for the 

>> purpose for which it was defined.” 

> 

> Right. Is it not the opinion of the TLS WG that P256/P-384 + MLKEM are fit 

> for that purpose? 



RFC8447bis requires IETF-consensus. I don't think that question has 

been asked IETF-wide at all so far, has it? Has there been any 

consensus call in the TLS WG on that question even? So we don't really 

know. 



> If not, on what basis, given that we require you to implement P-256 alone? 



I don't think this comparison with historic MTI of P-256 alone is 

relevant for deciding about P256+MLDSA today. 



It is reasonable that we required you to implement something a couple of 

years ago that we wouldn't require you to implement today, but we 

haven't gotten around to publishing an updated document. 



Compare the migration away from MD4, MD5, DSA, DES, RC4. The tendency 

to move beyond those algorithms happened long time before we got around 

to drop them from recommended/MTI status. 



By that line of reasoning, it would make sense to standardize and make 

MTI the brainpoolP256 curve too. I don't think that is reasonable 

today, so I think the analogy is invalid as an argument. 



/Simon

v2.35.0 | Report a Bug | By Email | System Status