[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 12 April 2026 14:59 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1A8C8DAC29EA for <tls@mail2.ietf.org>; Sun, 12 Apr 2026 07:59:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776005972; bh=ogpGYlAC7kXFxEm3jFWvMYBJjvDIQk7rDv7vorre3pE=; h=Date:From:To:Subject:References:In-Reply-To; b=zNenONH5dSFDJidaS+e+ZcyctpeQY2s7rP3p+7usttN5WWp6tkBsUQ0XPR5JtfmQb lhrrJv4CZOzmZ4P0otvUP4DwC8ogveW4JpNhCv3UGBuRvVglqLCVl6oLzo/uAQ4wvI Aqy/0GbkgSaBx96fe1kmx4co0XNNByr+AOzWr6Ow=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=welho.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17ZbU3hz2qX0 for <tls@mail2.ietf.org>; Sun, 12 Apr 2026 07:59:31 -0700 (PDT)
Received: from smtp.dnamail.fi (sender103.dnamail.fi [83.102.40.157]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6C04FDAC2952 for <tls@ietf.org>; Sun, 12 Apr 2026 07:59:03 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.dnamail.fi (Postfix) with ESMTP id 3CF5A4098F32 for <tls@ietf.org>; Sun, 12 Apr 2026 17:58:55 +0300 (EEST)
X-Virus-Scanned: X-Virus-Scanned: amavis at smtp.dnamail.fi
Received: from smtp.dnamail.fi ([83.102.40.157]) by localhost (dmail-psmtp02.s.dnaip.fi [127.0.0.1]) (amavis, port 10024) with ESMTP id AukVYkeUP7DH for <tls@ietf.org>; Sun, 12 Apr 2026 17:58:54 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-117-27.bb.dnainternet.fi [87.92.117.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hliusvaa@dnamail.internal) by smtp.dnamail.fi (Postfix) with ESMTPSA id 9C4F84098F07 for <tls@ietf.org>; Sun, 12 Apr 2026 17:58:54 +0300 (EEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.dnamail.fi 9C4F84098F07
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=welho.com; s=2025-03; t=1776005934; bh=EsqFgbo+cLTHnpJ6mp/OvdLNkDzXqRFFSKpgQZdsHqk=; h=Date:From:To:Subject:References:In-Reply-To:From; b=AuDW72LWARrck9lMNcXOCvgiQhuVKtkj32uS18Ld5EALjX5Rdmx2Iv3/gAB83UWhW zrLxSdeW7zZH+E7SbNigj8xB/7I7b4G5Rq0fkbSJSo0Yk2zxG0q6b9Z3PUlMoRlsNA wMQ9shVm/dd3SNx1HQfop5OIm5B6hEU72aXKmHp9dN3kKK4VZqyPmJifWZXm/EniHF NoiVwCE8JivtgD/sROFtna/G1FHPcn4vs3LJngduTYMNSkMdloFN4F6SdVBCzJX37R iqlEwBBmX4s4K5Xsz/lgI3Mw0rKZjmhNVxBZPGkoagVb5jA48yEWPEmnOxNHUPZ9Ef aOETLehKdE1xw==
Date: Sun, 12 Apr 2026 17:58:54 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: TLS List <tls@ietf.org>
Message-ID: <aduzLrLPhev1nFR3@LK-Perkele-VII2.locald>
References: <CAMjbhoWwvfkfScpbf4-5PBzk__qb+6M4ZzAOba64kk9aXBba5g@mail.gmail.com> <d47a34ab-7fb9-4687-84aa-a5fa6bcf6a6c@tu-dresden.de> <CAMjbhoWBHmJnLx7wRG9iyurAHrSCExxO83G8PN=TnQUidp84SQ@mail.gmail.com> <3e539579-4107-41fc-80a5-824b24c275be@tu-dresden.de> <CABcZeBO59jwCA=vKiJ=QZaU8rPJxKv_WwFGOTot0jR+hpiFuLQ@mail.gmail.com> <43fd169d-d280-40dd-9d2c-311040bed4ad@tu-dresden.de> <CABcZeBMF=GXHY9syqbh0ir33=MxXHpbz5jpt5p8_YNo8yNmmdA@mail.gmail.com> <6cf2c9d5-3846-4685-9615-0de2195b6e15@tu-dresden.de> <CABcZeBPU2th2e1Dmp3dd==-K9oZE9kJASYBwCUQPc4EzQYdpuA@mail.gmail.com> <8618f27a-84ae-418a-8eaa-b6530bb6fc09@tu-dresden.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <8618f27a-84ae-418a-8eaa-b6530bb6fc09@tu-dresden.de>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: HY57BPRSNK7RUKOXCPXWAHBDIMFWAXYU
X-Message-ID-Hash: HY57BPRSNK7RUKOXCPXWAHBDIMFWAXYU
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eKm7V-5WFhM5RYVx7yQ-aVD7i30>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Sun, Apr 12, 2026 at 01:51:58PM +0200, Muhammad Usama Sardar wrote:
> 
> In particular, say you are an implementer used to reading IETF documents and
> not NIST documents. Security considerations being offloaded to NIST document
> is an additional burden for you. But let's put that aside. For your
> implementation, would you interpret that text as SHOULD NOT or MUST NOT in
> IETF sense? How would you resolve this ambiguity?

It is clearly SHOULD NOT.

 
> And I believe this ambiguity has significant high-stakes impact. Say you
> manage to resolve it as SHOULD NOT: All confidential computing solutions are
> /almost exclusively/ based on TLS protocol. Would you let attacks like
> BadRAM, TEE.fail and wiretap.fail continue to be exploited? To me, this
> seems like a disservice to the community, given a demonstrated history of
> exploited attacks.

Randomized signing does not help there.

Furthemore, things like BadRAM, TEE.fail and wiretap.fail are far from
the worst threats. And the worst threats are becoming even worse...




-Ilari