[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
Simon Josefsson <simon@josefsson.org> Tue, 07 October 2025 18:32 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8EACB6ED57A8 for <tls@mail2.ietf.org>; Tue, 7 Oct 2025 11:32:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="0Wjw/bMD"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="oDp+gOOX"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQMT-dmoNZZw for <tls@mail2.ietf.org>; Tue, 7 Oct 2025 11:32:14 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7CFC66ED56EE for <tls@ietf.org>; Tue, 7 Oct 2025 11:32:14 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=07ilCbSi46Cj4RD4yqMSjswfJnFaqhr6SmUelBLf0YA=; t=1759861930; x=1761071530; b=0Wjw/bMDRg0lck1+4JIB59ZRf9ZzRE2qxGrqa7dMGrDbaRDzWVUlsgw5IlueCYQWwlAw+zPa6LD KnTQOV3v0CQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=07ilCbSi46Cj4RD4yqMSjswfJnFaqhr6SmUelBLf0YA=; t=1759861930; x=1761071530; b=oDp+gOOX052gbFdF8qoQVsYcQxGGgxrD7Ym9ySs5J2plWr/NviqddZwBroXLpSt0QlHtazqOsji sZ2XtpQ4n/Vx59JREJ7EHjinlbO3FoYJxssc/lOTZiq8chxUYhPneOoV7pqn4UM3u6S+eeP7T6pDl g4Uu+sdBLYCeboI0kUuMzY34XesatkKTdX9yyuQ7MeZGnwdjgCLwzDdc37a8f00oCM/OBruA6jKcq B0qxT1xWhAzlfP1uDy3qg0qNkHmDmr6gnTAmyFy3n6D8uzGMo6H3aCEbMQ5UGA5lKkjxuaaYDmf4p 9/rm6IsVRTpvQet7QxLbvh1e5cvelv4IvsGlWCkuNGkdr9TgUN5NgPfzTFrPt5JJ8qDHqGhQ1geCO Bcfhe5jbPksHyETr/1Ia61Zo7WyItRMp39GhdHrNUSPBf6blSbbriDxCUw7KuZCMgyqahaAcv;
Received: from [2001:9b1:41ac:ff00:e248:3a10:8c0e:7ff8] (port=38654 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1v6CTp-00G8tq-Fb for tls@ietf.org; Tue, 07 Oct 2025 18:32:09 +0000
From: Simon Josefsson <simon@josefsson.org>
To: tls@ietf.org
In-Reply-To: <aOVWcf9JFllri-vG@netmeister.org> (Jan Schaumann's message of "Tue, 7 Oct 2025 14:05:37 -0400")
References: <CAOgPGoA+c8kXDizwsvFG5tLz9+Kxk0HqiN1skKp5jMvvpxeu0Q@mail.gmail.com> <CABcZeBO+3u=1=ueNscq+O74Qv=7PC5NedsGsugp=GZjVqtODoQ@mail.gmail.com> <CAMjbhoVcxTfppSrkC27F8uf9hKvqTDBsG_-dzGtWbjia5YhmXw@mail.gmail.com> <aOVWcf9JFllri-vG@netmeister.org>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:251007:tls@ietf.org::iVh72eMfZ9TlTST8:0cXod
Date: Tue, 07 Oct 2025 20:31:52 +0200
Message-ID: <87h5wapnqf.fsf@josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID-Hash: WLTM7IAYKRUZS3ZVSK5YN23QJIXJWZZC
X-Message-ID-Hash: WLTM7IAYKRUZS3ZVSK5YN23QJIXJWZZC
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eKWxJUTNKHLtg1uKKglDQ6aseSw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
The discussion below suggests to me that X25519MLKEM768 is the running code de-facto algorithm that ought to be on the Standards Track and Recommended=Y and the other variants should be split off to a separate Informational document with Recommended=N for niche usage. I believe generally that we need multiple PQ-safe hybrids as Standards Track and MUST/Recommended algorithms for all our Internet security protocols like TLS, SSH, etc, so I would encourage deployment of additional PQ-safe hybrids for TLS. Settling with X25519MLKEM768 only is not the final solution. Mitigating algorithm profileration is a consideration, but security heding is more important. It would be nice to get X25519 combined with FrodoKEM, Classic McEliece, SNTRU, and more deployed for TLS too, so we have options. I believe it makes more sense to add some other PQ KEM as a StandardsTrack/MUST/Recommended than to have SecP256MLKEM768 there. In fact, I would go further and say that we should progress two at the same time, to not get into a single point of failure situation. /Simon Jan Schaumann <jschauma=40netmeister.org@dmarc.ietf.org> writes: > Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org> wrote: >> This is the breakdown of client support Cloudflare sees (relative to any PQ >> support) in the last 24 hours by handshakes: >> >> 94% X25519MLKEM768 >> 8.1% X25519Kyber768 >> 0.038% MLKEM768 >> 0.014% CECPQ2 >> 0.012% MLKEM1024 >> 0.002% SecP384MLKEM1024 >> 0.002% SecP256MLKEM768 >> 0.00005% MLKEM512 >> 0.0000003% SecP256Kyber768 > > [...] > >> I can see an argument for Recommended=Y for both X25519MLKEM768 and >> SecP384MLKEM1024, but I do not see any value in recommending both >> X25519MLKEM768 and SecP256MLKEM768. > > On the flip side, and as just some data points here, I > recently did a check[1] of which sites/providers offer > PQC, and what key groups they support. Not > surprisingly, it's almost all (and _only_) > X25519MLKEM768. > > Amazon Cloudfront (as pretty much the only large > service provider) offers SecP256r1MLKEM768. > > This is not surprising: AFAICT, the browsers only > support X25519MLKEM768. If no servers offer anything > else, then browsers have no incentive to implement > other key groups; if no browsers offer other > keygroups, then servers have no incentive to offer > them. > > -Jan > > [1] https://www.netmeister.org/blog/pqc-use-2025-09.html > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… David Adrian
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
- [TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
- [TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
- [TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: [External] Re: Working Group Last Call … John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
- [TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
- [TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
- [TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
- [TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
- [TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
- [TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
- [TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
- [TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
- [TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
- [TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
- [TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
- [TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
- [TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
- [TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
- [TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey