IETF Logo Mail Archive

[TLS] Re: What about AuthKEM? / Online-Offline signature split

Thom Wiggers <thom@thomwiggers.nl> Wed, 08 April 2026 11:44 UTC

Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A9E87D8036DC for <tls@mail2.ietf.org>; Wed, 8 Apr 2026 04:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775648691; bh=6z6tLWxtTbfR77AaNuUJ0sV9e9y/Wlt5BahHmPEqftA=; h=From:Subject:Date:References:To:In-Reply-To; b=Az2/ZsfFio8wHdyOYHoc2lQp4GGh+3q0ha2NpT6/gEjFgNs2jRlkI0QGIFqWLNRAs PcQZlSTu+vd9rBUFe7+n3Dm0TGoPtkg9pFfm/2MvvSTe8HHoetgT0hVw86PjLevqNX Flf6gCgQw4YFzclmNZ7Ejktp1yd9LjEXOFvr+xKk=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r20wJpShnmnu for <tls@mail2.ietf.org>; Wed, 8 Apr 2026 04:44:51 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 190BED8036D2 for <tls@ietf.org>; Wed, 8 Apr 2026 04:44:51 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-b9c6f1d1282so618613566b.3 for <tls@ietf.org>; Wed, 08 Apr 2026 04:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; t=1775648690; x=1776253490; darn=ietf.org; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :from:to:cc:subject:date:message-id:reply-to; bh=PH1Hp6QBrwXcSqLGPq2bLvXfju1rr2aDTVyuReGlsBA=; b=ZKa/J732arRUJfYgCQrFm49ngsQLkrlLKfoe4ctHSwPX43ru3AOl734Q6Sm8Gcp8/9 XUdwVJAV9EFZT+hfs04Lf8IocrtKmuyV3bQ5U5NKOOwCvRHd2Kabp22auQjPrHt970Vo xWjx+0XBBKjOTbYggyky103V9g+OBJchm5CL0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775648690; x=1776253490; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PH1Hp6QBrwXcSqLGPq2bLvXfju1rr2aDTVyuReGlsBA=; b=ddQZKPxv/lq0sjBe5P3OWiExAeFZC+haO+YSGffI/NoV0oveiPsr/GBczOkbeUuW0Q C8OIJbtB6TEtLjIncmzlqJX3vDHETBS7GNau/OY/n0E9+9AixTtqiN4uyxg6VXmFAiCV Vx8OsKJ7bX0VeZo4+/zztJmtqSxBuRmtf2WJerGEikczvvU3RSfydgns9QGb21NJVHkf VV8ZoSKrSYwU5U6hnxcw3+3KJ6iCgx+FTuLcyCHSBfX2uOAZm41H31zNJ+pPkt/S/BMP zV864V/XrpSiv1lekfa/JhDFT1E2IxfVQrG1tgMk2If2D35Eu/p9HsA/h9o42jy6Y0Dy 4BRA==
X-Gm-Message-State: AOJu0YwpIlrdEM5H0eA7Vpt9Qc12YBeobAkBxmIb0yhQ2P+RvhXaHaxd U5kc3XYCTUP0YAjz6aRmop8q/uobpPqCkBpKWPHzHvPy5xI+OxWF3Qe/ZhX8LkbRxRt0hBmnJQk jF476
X-Gm-Gg: AeBDievCGrtmIefl2m/PlvUXonIHl/LXNhjVqnE65K8j+nfwAA72673LJmA1yfdMAv2 l4PuY4LxQiIPkbhQtM7WX+PE3AQV08bDmG2pb2HHNEFERNYLoG7YdEURWcZa+TZksPfJejLH/BJ 3t2l7cGVocSbyNGUKqjU9P//npRtovku7fiT7MCpP+UYaBQjb0o2oG4icuNBS38KBpaOXh337s6 dJhnRNPqNBiKMGJEj1WRbZtzQ6sjZnWQSlYBdxsfvaTYhoRICytPsfja36Rr+aXiaJ5zhquMEmU RFFN2irOGfrNGzT8af567hYXxsn4AFOtLsglMSf9feDFLDUR/AKcjIETXt4BCWEx9FIivbM3OfA fGfvDHKPynzNgdHsW94rNwjy0eCB5bVe0EQCP7yo9BY8clY+S45b59F6gcvcBVI8S/XhwFdSuwz tWT20IA7gulthiqoGQHwYqnVfHjY4l2o64mPGxX0gK45/Nm7fKZg3akMUCZpbee8l7OIgpSZZV+ WjIngOshDEMu25jLsM=
X-Received: by 2002:a17:907:72cc:b0:b9c:b682:83ba with SMTP id a640c23a62f3a-b9cb6828685mr679230966b.4.1775648689156; Wed, 08 Apr 2026 04:44:49 -0700 (PDT)
Received: from smtpclient.apple (63-164-187-31.ftth.glasoperator.nl. [31.187.164.63]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b9c3c99fc09sm642852166b.17.2026.04.08.04.44.48 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Apr 2026 04:44:48 -0700 (PDT)
From: Thom Wiggers <thom@thomwiggers.nl>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C8B390DB-6FF5-4820-BB8B-261FC05D4CBC"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\))
Date: Wed, 08 Apr 2026 13:44:37 +0200
References: <MgNiohcykfGTjVuD5YkbKNofLPqoyyHJ31KztG3nKi06534S8J_yg4FIkYjlyRiGoCHMMn5UohbTMnjSULxnKRDCDaZEwelhtW0jAwRjy-U=@marionberry.net> <CAPxHsS+EDEYA-Sx5i-j_eFsePmNj3tPc3Nrjgqj_W75Chq+yUQ@mail.gmail.com> <adXshwwTovNLiuoy@chardros.imrryr.org>
To: "<tls@ietf.org>" <tls@ietf.org>
In-Reply-To: <adXshwwTovNLiuoy@chardros.imrryr.org>
Message-Id: <2E5ED3B3-C09D-4C36-B3A9-CEE6F2E72618@thomwiggers.nl>
X-Mailer: Apple Mail (2.3864.500.181)
Message-ID-Hash: 5UPFAVKMT54VYZC6SMYDD45CS2L2GN7V
X-Message-ID-Hash: 5UPFAVKMT54VYZC6SMYDD45CS2L2GN7V
X-MailFrom: thom@thomwiggers.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: What about AuthKEM? / Online-Offline signature split
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gT5NlrmdMOmrBWSoTH-j0euHjXU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi all,

As main author of AuthKEM (nee KEMTLS) I’m of course a big fan of continuing discussions on it. The drafts have essentially been sitting on a simmer: I’m keeping them alive to indicate that we’re still interested in the proposal. At the same time, there are some things to overcome and in development that are probably required make AuthKEM more attractive, which is why we’re not pushing them actively. I’m also “just” an academic and don’t want to just push my pet project onto others.

The main problem is AuthKEM does not get rid of the signatures in the certificate chain. This means that in “WebPKI” deployments, you’re going from (say) 6 signatures to 5.  Aside from the fact that you could maybe do “fancier" signatures in the chain (which you could also do with ML-DSA-leaf certificate chains), this certainly reduces the relative gains.

PLANTS / MTC is actually something that could be helpful here, as it helps reduce the number of signatures to “just” the handshake signature. So with MTC’s reduced signature format, the relative gains of replacing the “last” ML-DSA signature is much more pronounced.

AuthKEM may also be interesting to environments that don’t use the WebPKI. At RWC, Viktor suggested looking at DANE in SMTP; I would be interested in exploring this and other environments more. [^1]

Cheers,

Thom   

[^1] on a more philosophical note, I wonder if we will see that the “everything uses TLS” trend will be broken by PQC, if/when TLS-with-sigs-without-resumption becomes too big for constrained environments.  See also other “esoteric” proposals like https://datatracker.ietf.org/doc/draft-housley-tls-using-mls-handshake/

> Op 8 apr 2026, om 07:49 heeft Viktor Dukhovni <ietf-dane@dukhovni.org> het volgende geschreven:
> 
> On Sun, Apr 05, 2026 at 07:32:27PM -0400, Daniel Apon wrote:
> 
>> KEMTLS is fantastic,
> 
> It certainly looks very interesting, and worthy of further exploration.
> 
> -- 
>    Viktor.  🇺🇦 Слава Україні!
> 
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org

v2.40.4 | Report a Bug | By Email | System Status