IETF Logo Mail Archive

[TLS] Re: tls-server-end-point channel binding for ML-DSA

David Benjamin <davidben@chromium.org> Fri, 31 October 2025 12:51 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 68EC07F7ACC3 for <tls@mail2.ietf.org>; Fri, 31 Oct 2025 05:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -9.483
X-Spam-Level:
X-Spam-Status: No, score=-9.483 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.017, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tH5SlK_zK5l9 for <tls@mail2.ietf.org>; Fri, 31 Oct 2025 05:51:51 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C7CC97F7ACBC for <tls@ietf.org>; Fri, 31 Oct 2025 05:51:51 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-b6d83bf1077so450988766b.3 for <tls@ietf.org>; Fri, 31 Oct 2025 05:51:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1761915111; x=1762519911; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4vpiy6pL86Dbms/DmSNYVS9eHChfBK29QvqgCiX8d+M=; b=A31+KxGOeoK3Z8IYruTKJPFv7//YFXWb1VJZ5oDDOJ5fNo2c4XOyQumaKGHiMXhize lrQRRL+cp6PYsSDH052kMMtSDOujY0mr0C5jg7tjp5vFmIKCjqCx3FA4wqNxKSILaGCN 9GgbxwL+1j2LLkSM+Jh/FRnzakpYSuFnJManU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761915111; x=1762519911; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4vpiy6pL86Dbms/DmSNYVS9eHChfBK29QvqgCiX8d+M=; b=lc6Mq2A+JwCqwExeiV9r1hzm07NowyU0DZ8roqEPAV3e45ktk5yCxL5EA5qlKY8cxD X0doYx9EYY5chuWUaYHkmrYe2RCPkIOZK7TpDoUYu0WcEMwPVxe9rrcILFq3Z4kDBd+g hT9iBSNx0Vkrv1fEQhk46ZHau36WIIfPnwfEiJrwjpAjhnYi49zuVSpEvrjgl7Qk3XAE 2of020NiHdy121/O9E4ybb1Y3/O+oTJPTSfKv3p+etPXrJPsyc4DY97kDeoG35tNONHj icR+jghhvUjAyzt+WvEfUpWQGhV8Cyrz1e871RYM/vbc8pXDjmrc2bv65Tp59F3ugq4w /lJA==
X-Gm-Message-State: AOJu0Yz4mGKj63ZMnCScOrb5V+5afpPR9FqmNfpCrXErXZCrUkc927qq sj0GjUoNUCrdwj+2B9rc+6KM86zoyPhID60oztHP6EVzioxs2CimStnV4edUGkTwEK4LbkmPmmq 3SBcPbnymx7qbk/rqNwzoP46US+LNUJz5SaoWU6Tbdmw+mtk1pWAw0qE=
X-Gm-Gg: ASbGncsabyqDrM6bFnWl6TDkWoqAHLcK/y+mnxPTgMXoC9Okmlxs9UxxqjdspeP6764 sh8qxxFs98RtFeG7LKItrEn+8NI5i9D7bUxLS1+OMDxZOPTi2JceScawRCtvQAB0PqSuXIHyb6c Pv9+uG5eM4u8mHHZYdQdhv648gpuspIQkqHOVZm5gq9BcpayPFHOwpQKDJJthPTTStYqKu0AqlO PjuJFpKmvKMFk9AlwnV71G6JDoVprROZcESeDfjwmbsO6Zvvd8bF/klAaA=
X-Google-Smtp-Source: AGHT+IEM3OhYapUqDNEzGMOI+71mLPI4z4Nd9wK6olHFO7PYYu2FFz+DExeAdzIKL5/hFR4RJtNsMc06zka9V6bvL2k=
X-Received: by 2002:a17:906:c10c:b0:b41:4e72:309f with SMTP id a640c23a62f3a-b707062ea8fmr331762766b.50.1761915110584; Fri, 31 Oct 2025 05:51:50 -0700 (PDT)
MIME-Version: 1.0
References: <aQGcki4qQ7S0SzT7@ubby> <DM5PR18MB2326F3F750D598899C580E82ABFAA@DM5PR18MB2326.namprd18.prod.outlook.com> <CACsn0cnDgytTGgnJ1uwxJnwC9Saatd4X4fkYJQRD5pLoa43XqA@mail.gmail.com> <DM5PR18MB23265FA03A349F4D7574391AABFAA@DM5PR18MB2326.namprd18.prod.outlook.com> <aQI66vyQGP58XhSk@ubby> <CAF8qwaBwmcxJJMbhgX0Yj9A0pBbqu1RHYkDvVSiW9dZnQ_MQbg@mail.gmail.com> <aQK0eNz8TIzsE2oS@chardros.imrryr.org> <aQOEbuThJRcS+MZd@ubby> <aQOOeR6r-ceMHQly@chardros.imrryr.org> <aQQ1qQ02Pvkf0sRy@ubby>
In-Reply-To: <aQQ1qQ02Pvkf0sRy@ubby>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 31 Oct 2025 08:51:37 -0400
X-Gm-Features: AWmQ_bnvHGxmX_yJ8MPiF3yivloFGrSxhMKYuPDAc54XLHXqJbNDzZcnhRaHSlE
Message-ID: <CAF8qwaCgHOoj0C9AeBGQprWYDQy5KCMpBGR2Ck5ss8rkGUH1rQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="0000000000004b59ce064273d47d"
Message-ID-Hash: S2VO3VM2U5HWBSAI6IFC73FNWTISVYYP
X-Message-ID-Hash: S2VO3VM2U5HWBSAI6IFC73FNWTISVYYP
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: tls-server-end-point channel binding for ML-DSA
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eu_yvYdorbyJ7WePchUkS-qA6_g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Yeah, if it's feasible to list out the exceptions, this seems a nice way to
get out of this mess.

Although I think one of the SHA-2 family should be the hash for the
existing channel binding. SHA-3 is slow, and every TLS stack will have
SHA-2 available, in a way that they won't for SHA-3. While PQ algorithms
regrettably use SHA-3, it may be internal to the PQ implementation. (The
really PQ implementations even need a funny multiple-hashes-in-parallel
version, so the code sharing opportunity is less than one might think.)
Whereas SHA-2 is used directly at the KDF level in TLS. More importantly,
it is already a dependency of existing users of that channel binding.

If we're moving to a model where we have new hash-specific channel
bindings, those who want something in the SHA-3 family can use
tls-server-end-point-SHAKE256.

David


On Fri, Oct 31, 2025, 00:07 Nico Williams <nico@cryptonector.com> wrote:

> In retrospect what we should have done is specified
>
>    tls-server-end-point-<hash>
>
> and left it as a problem for apps to negotiate one of these if ever they
> should have to.
>
> Perhaps we should do for now is something like update RFC 5929 and the
> registraion of tls-server-end-point to list the digest alg to use for
> existing signature algs for which TSEP is working today, then say to use
> SHAKE256 for all others.
>
> And perhaps we should specify tls-server-end-point-SHAKE256 as well
> while we're at it.
>
> Nico
> --
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
>

v2.38.3 | Report a Bug | By Email | System Status