IETF Logo Mail Archive

[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3

Nico Williams <nico@cryptonector.com> Tue, 15 April 2025 21:45 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DBECE1C92835 for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 14:45:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJm5tRYl6djK for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 14:45:40 -0700 (PDT)
Received: from gerbil.ash.relay.mailchannels.net (gerbil.ash.relay.mailchannels.net [23.83.222.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8AE331C9282F for <tls@ietf.org>; Tue, 15 Apr 2025 14:45:40 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 180752C651B; Tue, 15 Apr 2025 21:45:39 +0000 (UTC)
Received: from pdx1-sub0-mail-a228.dreamhost.com (100-110-58-162.trex-nlb.outbound.svc.cluster.local [100.110.58.162]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id BF5662C642F; Tue, 15 Apr 2025 21:45:38 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1744753538; a=rsa-sha256; cv=none; b=VA2rDnfNrXgq7Tvsm47Lst1drGdS5PxUVT2sqVmGMbtXH/V4Y8b937mho6bbhZxQh3Y+hb f1pXtKLUy140l937jg/amOfoFuYoAaGAXzTjx9tI8EorUI++TxXWggkDxYbqbI9HSCHYdM GKBJL93Sec8nAMrAypUe7t+6EMWqc+CBcYPniIBaQJRQzuGnW/lTN8bn/vc2kp6+5qcust 5nyFAPz7vUCf88bbNy1SnikWGGhPeQKufIIYduRqEQ047MVE4RuIqLPoIn65OofPVf/U/9 +ZNWTiIvJwL5yLwMbLOrelfKZoQ+6AYSp5A6moqRquaVWeXdN86PQNKR0bKh+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1744753538; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=p3uexilMCbfbZriI5kl0mHDPqJov2cQHT65EEkAv4f4=; b=9vBoeR0oETJC4CNvEFeacfZVCGuDk+I5ba4fkOH8pgatD4R08gb++TsmwjCAj77k2vT5Qf c3lPMjBx+ldLBKZKBn1dnsaz5jDwL7UCUaNoa8KGMkybhxGLvhmS/bQn7PIKvPYal80wOg Qbe5vx+gmRc4e7D6UkGTe+PKLG9QO2Y9Sv23YC/XKiWzwzoNiPTm/g2vb0atA1mRBLEIBI gN7LmEfVWwshErFNtqM7J/A6PQn4Bufg/lTKqgXpZRYDQU2aKkwzQydVBYmqjbUNqQjbKe jP9MtgDfwdU7rhrr+ON0gY980L4URlXvPamGc1TOM5NVYWSgBo17SacZO9hADA==
ARC-Authentication-Results: i=1; rspamd-5dd7f8b4cd-9nzsh; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Bitter-Trade: 68787bba47323fab_1744753539001_449762516
X-MC-Loop-Signature: 1744753539001:3261141945
X-MC-Ingress-Time: 1744753539001
Received: from pdx1-sub0-mail-a228.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.110.58.162 (trex/7.0.3); Tue, 15 Apr 2025 21:45:39 +0000
Received: from ubby (syn-075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a228.dreamhost.com (Postfix) with ESMTPSA id 4Zcd4f1jGgz87; Tue, 15 Apr 2025 14:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1744753538; bh=p3uexilMCbfbZriI5kl0mHDPqJov2cQHT65EEkAv4f4=; h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding; b=HWyEpDo3FbEaTbeIzzopfNKHcm6UnJegMYOpqiH/Jw9HkvFMGipOYalkgvx4OtUYH y8rjx6+8AzE96SWoZ7/N55v2HWT0m2t1mgy5p3yzNQAuAOyBvUe8Gd997rV6oUO+qo W1FjJcPa7RlcPEH9r+bpdqOq2jfoJ7O5wH73is8+oLK5Nnw/xeHKMloCGB3Ai8/Vhf j8BJ0O7GHiFwU89Rfn1oUniqmX904yGMv1jwrrIoDLd581vTQKzmI73GeY0o9JmDiO 6qPg4nSopWzUksbYvAgMZbYIpfb8tu69c5BGjao65b4Dtu8Cm3Z3shVLdet47H/AEI kadccVhreItTQ==
Date: Tue, 15 Apr 2025 16:45:36 -0500
From: Nico Williams <nico@cryptonector.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Message-ID: <Z/7TgGIkmvV2fdAk@ubby>
References: <78F26652-C656-450F-A92D-BD53F8E743AD@sn3rd.com> <20250415195351.229309.qmail@cr.yp.to> <BN0P110MB14198B6485FA1CD4F6128B8290B2A@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <BN0P110MB14198B6485FA1CD4F6128B8290B2A@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
Message-ID-Hash: ALW4ULQFSBVXRUMOE6YCHZKHZKFPCIF3
X-Message-ID-Hash: ALW4ULQFSBVXRUMOE6YCHZKHZKFPCIF3
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fF8pL92WEN-J_tbaQX4Dit-3cXs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

To begin with, the call for adoption has not ended yet as there are
still a couple of hours left.

On Tue, Apr 15, 2025 at 08:57:47PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> “Consensus” is not about reaching no dissenters. It’s about the
> “prevailing” opinion of majority, which in this case appears to be for
> adoption of this draft. Despite objections risen by several people. 

Sure, but to declare dissenters in the rough requires at least a bit of
hand waving -- at least recognition that there were dissenters.  If
there are reasoned objections, especially of the "that can't work" sort,
then those must be addressed.  Now here there are no objections of the
"that can't work" sort, so perhaps the objections can be dismissed
easily enough as being matters of opinion, but still an explanation
would be appropriate.

IMO the objections here are in fact easily dismissed because a) there
were no objections with technical reasons that were fatal to the work in
question, b) given (a) the real question (though I'm not sure that was
answered) is whether there are enough participants willing to review the
work.

The objections were all about policy: should TLS support non-hybrid,
pure-PQ options?  And the answer to that will be a matter of opinion,
which is why if the objections were only about that then in a way they
are easily dismissed.

But the policy question did need to be addressed independently of the
question of whether to adopt this work.  The policy question should be
addressed first.

As to the policy question [that was not -but should have been- the
subject of this thread] IMO it's much easier to be confident that a
hybrid indeed is as secure as the most secure of its pre-PQ and post-PQ
components than it is to be confident that either alone is as strong as
the hybrid.  Sure, the hybrid's construction can be itself be broken,
but I think it's easier to reason about the hybrid's construction than
it is to reason about the cryptosystems being combined.

The policy question, if called, could in principle lead to the IETF
asking the ISE not to publish this work.

Ignoring the policy question, the adoption question is really a question
about whether the proposed KEM is fatally flawed (not quite, not yet) or
whether the WG has enough bandwidth to review the work (apparently yes).

My position is that the policy question needed to be called first,
before the adoption question.

Nico
--

v2.29.0 | Report a Bug | By Email | System Status