IETF Logo Mail Archive

[TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

Nadim Kobeissi <nadim@symbolic.software> Wed, 03 June 2026 17:44 UTC

Return-Path: <nadim@symbolic.software>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BD560FA37875; Wed, 3 Jun 2026 10:44:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780508658; bh=OtzEyHhlgVpRNcAWmwBiPA8shLfS8FzZPhPdrq2B/e8=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=HgM0C/ZeL5Ax8uwYXWGoCYbCJqLXUM8RJNyByezyaEpKb8Wwf4hFAK///rTZ2K25q URHv8uzb1OU0AZEPniSWkR++brik6+xo6gF0j7knP/IjelV/R93coSKyEr3Q0VaDvm f3MANx4fbEKowhs5EfSA5yarysfoYG2kFuHcbxMc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=symbolic.software header.b="l8Khvwqy"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="M8mPvEep"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id djjT6Uj83Nqk; Wed, 3 Jun 2026 10:44:18 -0700 (PDT)
Received: from fhigh-a1-smtp.messagingengine.com (fhigh-a1-smtp.messagingengine.com [103.168.172.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0F1D3FA3786D; Wed, 3 Jun 2026 10:44:18 -0700 (PDT)
Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfhigh.phl.internal (Postfix) with ESMTP id 8B7D11400069; Wed, 3 Jun 2026 13:44:11 -0400 (EDT)
Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Wed, 03 Jun 2026 13:44:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= symbolic.software; h=cc:cc:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1780508651; x=1780595051; bh=8Uh7lkX5CJ+7t1hpIGDGCzMBlGa/ly2Tlh747Zg4hzE=; b= l8KhvwqyFD0kd9+3T9kAbiYozL10e4gFD8DWiy84ky52LaraYEP7pGtbuN9h7mFO 16C/s/LTugg9VJsyGPEn0xjaJcD9PkvEyltQ2R50S7tbcT3qn650ypwgq+JrnEa6 m8HZ/XJWKfYK+hI/RsoxJ7P/730oT/ac7odybzf0C5GjiTzJnILCssPzTEJZf0Kq 2pa6EU8zKWl9KsKExcMVjLBi6cu5lRmp3eYY1q23BJu8CqZPVMHe6a6FuuY4I+CE aWDyHTiP9ZTb+A8vudVUrgU0wG5NUit+gsWMJXx7A6toZB8OKHVZLyM/FDbC4xSo BKIQvZCNTf8RGolyeW/SDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1780508651; x=1780595051; bh=8Uh7lkX5CJ+7t1hpIGDGCzMBlGa/ly2Tlh7 47Zg4hzE=; b=M8mPvEepg4Q8F8Y6zeGVq2Us+y4TtUyu8go4rteXDzIQnOKuzJd tzKZs4ItDVL5/AuVQlrNV7kdmmqdpbYSNGAHJLyiqC+SKs+pPbQJ+mmqH80YA9L0 Z1MLILbjgKEqoOyB//zV8TU6Frp9/uYeAAfn5zdA/JEK5OyZg2z0PMnQmU2Xpc1K Des7DuO9eXbeLLkLZztdjcychloSpBkvKiUol9wegvcArnRm+gemWbV7yLhySKvD aEcF0g8wsdfKqTqhAumP4V0N5EQfv76hR7oftJb/AA0dUj/RiHXZh9AYLrRggyuJ nepMJI/mHAfVhtXrvkfRPvzV0om0NScuZOA==
X-ME-Sender: <xms:62cgajcGsh-X-7oOLr89EHl6Wh9U1TAlTiGLLceS5ZR6gGBV1KE0RQ> <xme:62cganAdNralFMPVb8RzP1suzWUj1SehYqekVN6QhE_UsRS0dmZlZZeYoPf8oNNy_ QUTV7xWmxlzsAWhWR7MzHNX6DUP8_udIrOjdzQ3CVyg4Dny1sProwI>
X-ME-Received: <xmr:62cgam9e_iObyuI2pTbj2-1chvQVa6Ad80cedKyJhFC2ifbTnQS3XMQ84NwzLCZTMsg0-LO_dVpnQSA_X5F2hFu42cYqDCPPO93UQI-QMbW9P8W8mPBe05PR_A>
X-ME-Proxy-Cause: dmFkZTF2i4+aKt0AlYGjOAxHyW/Ka8owfZlFd3WDuVR2TX5+qkcOik+S/hcHslsKDi/uSf EgICLyNhoS3FBtUZJvuFT/YcvtEJ9CGX3iR3YIQMgVisYWZfM25ANi/t3lGXJspr5/sBEd rEtd5YyByszXD5W0xEq7iEmwr/oCb7s3b6PCFdNqsC2bgqFSlpX8LydYrZ0VzRiNzxT5m1 1armuwA78fYHwgmfMibDCNFR0y+FWADzKKJ2yavz3E2JkMY144zPmfbAtfLwH3zhmYvhaC FNB+0Yq1zA+ZjJZzIYX1A4JGkGxNLwyPuZ+3NSGgWB04GAkKZt9Qp+5HBi6lR7iA3CiXYk XFQyqcOGJg4UQLOUoAkpWLf2ZfcIeSvDKIKLXPdxUF8mR1ZVBUiYEb6AxbciV9F9sQmV+g bys2C9rmWpnRQnNM7pn3ZUsTbL0EoSZ2R69ncRsPz2eD9Wtb4kVAIKM6aqdD52Pu8R8VvP PJGAG1x8EluX9+/Qrl8GfhmXb6PYJYJV6atYJTu9yWJ2467hRyE+hwhXZewnYq+m45Yz/K ELgUjmoAYE2OsbKPv4Fo6fdUkSVsLtW2izXRWYlgkMsE5pZfOI/HJRdvg1PGQP+nLGRts5 qZyfFp8uUq+k2G04kdzin9DsSezSuf7vmEmrTWRnhNyFib2l1GSHvOX0rGzQ
X-ME-Proxy: <xmx:62cgaiI9EHtNMed0cNC1g0nB90gswOBuc1RapQZHRhwGeIXN-wdRfg> <xmx:62cgavimGVz2CAD2bH7rRw_tDKOzBejL9rMkGn6CrPuz0J-4ey4sPA> <xmx:62cgai7Ou1q6tm1oyymeD2BqTQuTqOp3jegM_XJtV-WURlbQosDknQ> <xmx:62cganawrvYixdfpCjy540aNOzRQKMJrwKJ8jgHVV_64TZd23czuLQ> <xmx:62cgagBiN6ZtvVq-0C2hxunOTtJtQrFGQqOrQg6NVvj3e3wDZWCNB1wq>
Feedback-ID: i6d3949ed:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 3 Jun 2026 13:44:09 -0400 (EDT)
From: Nadim Kobeissi <nadim@symbolic.software>
Message-Id: <FD2E16FD-A121-473F-B7B4-E229E5F266D3@symbolic.software>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7970264E-B4AA-49F3-904A-4D503247EE84"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.600.51.1.1\))
Date: Wed, 03 Jun 2026 19:44:07 +0200
In-Reply-To: <974c9e67-1166-47ad-9b0b-9e940527e313@app.fastmail.com>
To: Filippo Valsorda <filippo@ml.filippo.io>
References: <20260603125026.2336434.qmail@cr.yp.to> <974c9e67-1166-47ad-9b0b-9e940527e313@app.fastmail.com>
X-Mailer: Apple Mail (2.3864.600.51.1.1)
Message-ID-Hash: YJKDJMSKG3SO7GETHO757G3CQOD7L4YK
X-Message-ID-Hash: YJKDJMSKG3SO7GETHO757G3CQOD7L4YK
X-MailFrom: nadim@symbolic.software
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "D. J. Bernstein" <djb@cr.yp.to>, tls@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fpG-g7zmBWQz_uTZ8FwvqmGjO8g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> You are characteristically cherry-picking quotes from other venues, drawing false comparisons, and then demanding explanations. In a better-moderated forum, this behavior would be sanctioned as disruptive.

I would like to discourage the use of these cheap rhetorical tactics. Opening an email like this serves to bias the reader against the person you’re debating by immediately implicating their character.

Everyone always is cherry-picking to some degree. Nobody on this list is going through every single email point by point. God knows that if we were to do that to Dr. Bernstein’s thousand-page emails, we’d never be done! And yet, if it were you answering the email and someone accused you of “cherry-picking”, you could likely just as easily say something like “I don’t owe anyone the labor of going through point by point” or any other such flourish. These rhetorical flourishes are a dime a dozen. You can always pick the one that suits you best.

It reminds me of those scenes in the Spielberg film on Lincoln when the state representatives are debating on the House floor. It’s just rhetorics.

Dr. Bernstein’s debate style is absolutely exhausting, he writes very long emails and nitpicks on details that you may not care about, but he hasn’t dished out anything close to the amount of insults (most recently from Soatok, not from you), as well as this sort of underhanded attempts at discrediting his character which I think are not being employed in good faith.

In the interest of being constructive, I’d like to point out that your own previous email today was in my opinion an excellent way to retort to Dr. Bernstein, especially the Sage script at the end (but the whole email is great anyway):

https://mailarchive.ietf.org/arch/msg/tls/iDPFnBDE-mA6Ojii6xI9ODzerr4/

Why not stick to this style? It serves you better, and you annoy less people.

Nadim Kobeissi
Symbolic Software • https://symbolic.software

> On 3 Jun 2026, at 7:08 PM, Filippo Valsorda <filippo@ml.filippo.io> wrote:
> 
> 2026-06-03 14:50 GMT+02:00 D. J. Bernstein <djb@cr.yp.to <mailto:djb@cr.yp.to>>:
>> Filippo Valsorda writes:
>> > all easy to find
>> 
>> Sorry, I still don't understand what you meant in claiming that there
>> will be "exceedingly few bugs" in ML-DSA software. How many bugs and how
>> many severe vulnerabilities are you estimating? Where are you getting
>> these numbers from?
>> 
>> Since your posting said that "a single broken key per month can be
>> catastrophic" and that a disaster chance above 1% is unacceptable since
>> "you are betting with your users' lives", I _think_ you're claiming that
>> there's a >99% chance that there are zero severe vulnerabilities in the
>> entire ML-DSA software ecosystem. But I'd appreciate a clear statement
>> so that I'm sure I'm not misunderstanding something.
> 
> You are characteristically cherry-picking quotes from other venues, drawing false comparisons, and then demanding explanations. In a better-moderated forum, this behavior would be sanctioned as disruptive.
> 
> In particular, you are taking my statement that there is now a > 1% chance of Ed25519/ECDSA/RSA being broken by a QC before 2030, and demanding I defend a different statement about ML-DSA I did not make. If you're confused about that, it's not my responsibility. I do stand by my assessment that the risk of ML-DSA forgeries (due to bugs or cryptanalysis) is smaller than that of Ed25519/ECDSA/RSA forgeries (due to bugs or quantum computers) or composites forgeries (due to bugs or due to their rollout being slower than quantum computers).
> 
> You are also not engaging with the parts of the conversation that don't suit your narrative, so this is not helping anyone, and this will be my last reply. I do have one final question: are you going to publish a retraction of your statements on the applicability and availability of Project Wycheproof test vectors, now that they were shown to be factually inaccurate?
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status