[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

Nadim Kobeissi <nadim@symbolic.software> Sun, 28 June 2026 20:06 UTC

Return-Path: <nadim@symbolic.software>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 74F1E1095CF9D for <tls@mail2.ietf.org>; Sun, 28 Jun 2026 13:06:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782677204; bh=yr8+yBTd6U59c+mZVcIkKvGS2bLpe3Ak2j4MKKOXLrQ=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=MQDHOE+VdTZ4KlQBD/NjGnXKrATiits9IgnwLOo4oxEd/veMZLuGkAKNszaB49EIy GMCZwWOuku21P6nhzIYz5/gSQvXPMB2HaRB/sYj6PURXfrRDvPx0qreQ6W59ImRH5P 2tPjaDY34dkAjgNxm3I4zXRW0dkChQU2tAkJ1cBQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=symbolic.software header.b="YY5UZRB7"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="XFewBMOO"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fGJOGa2E28S for <tls@mail2.ietf.org>; Sun, 28 Jun 2026 13:06:43 -0700 (PDT)
Received: from fhigh-a5-smtp.messagingengine.com (fhigh-a5-smtp.messagingengine.com [103.168.172.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BA8161095CF96 for <tls@ietf.org>; Sun, 28 Jun 2026 13:06:43 -0700 (PDT)
Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfhigh.phl.internal (Postfix) with ESMTP id A208A14000AD; Sun, 28 Jun 2026 16:06:43 -0400 (EDT)
Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Sun, 28 Jun 2026 16:06:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= symbolic.software; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1782677203; x=1782763603; bh=E4Yl1wVwyt zIEGDv2nJd9zLq1pPsJQAJcVV/swpt5Dw=; b=YY5UZRB7ZHXvH+jum+pIbsXVsW +F/82XGS+wSIVp7WDjqFgqB5G4U50yteo2B07seCYVS5YumyrUUzGHd8Z/fybsy3 lb6vEKDUti5sAO96tJX2g5lV2OADwJWwh5U7LiC3iqfYqKVXnuIlISa4cSj6VOCq QdO2cRqX8mxuQdDs2N2r3Oh5hH0fRHLM3CbpoX/MxxhkgYRugmPd54FuePClxgpK 8OPCI35ZSjqEPsJfj0FdlPJ+8aayaPHiWmB0SUg1MrtvAbzG/5qiv1G63v0wQv2s yVcC6TO+Liub6fFEMUEAlJfi8c2j6JkPNskU0126+3QQChde0f4veP3VO/lw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1782677203; x= 1782763603; bh=E4Yl1wVwytzIEGDv2nJd9zLq1pPsJQAJcVV/swpt5Dw=; b=X FewBMOODHH5AgFBPOz0VgG3gCO1JQ+gOpP/5KrDdsE4iQRLUUfVOISfqKD/vn4zZ QWOjqLAneWbUhNJRQhSa8u5zM6CsrAIV+j+qs8ydOCKAIkIYwL/F/rsqfasVRenq jtiuuaSYaY/b5YGCprjTwTnsLDh66dvGLZqCidm8YrXk1HMqu4O2U/HGYevDBaH2 ZaCV0idSz7EJn/Fif/lHxuLf3Hj4jTLh7hmcsXVA2wlELSFft64Qxa7C88fsMtc+ oy1I40tG1pgJreilbLBNtEPQXiynnRnxLWMLlqU1/zYRTZGahyZ55oGQPfkMXm/3 wgrkq154p2BEN1lxQ4itw==
X-ME-Sender: <xms:035BajrZPwrg1NF3QiuVo356hBQmSSQCyTrKZit5rVIXT_oFe1Nm_Q> <xme:035Bap-GfAmjX1XeRV3KrvcfBFkpnjDspAQ0lDbptZoFksLkUTcPtcaCSAEzTYO5j LvfXih533fTD4foU4IIFIBkr90h_6MDdC1LYrwvRAw47Yc90wImqh8>
X-ME-Received: <xmr:035Bai81i_YPtEtVoKCtEBgZVrjR-n2QeZbrhqE9KDY3sk1jRPCrK3i8SS7LbCzPDk3x3UlN8fP3A9LLxZTSeEoj8GF0LfP6AabKf17kKd3ymhbQpE0G>
X-ME-Proxy-Cause: dmFkZTE1dr9tDqdu9L1fqbfG7wRDcUNFGNhA+hnlw9Y8DR+LL7W+bZGmIgfCPoPNkg8Vy1 PkAKoSdCpO3JvOhB22/HBiqgbGHTl4/wEfOiWpUJ+0AeB9U+/DUdK1kvwhDzPT3gxwXcys slUiT+mEZjvhRoAczd6tEzbemU+EWINC/Mdx2zlCcaa2j04E5lJPr7mDBrMNDOLpRqryQP 4NEY93a2oG6G6BTeqP/b7DEkGmgMXhYILCbgNvbuL97cz3HQuELw7C92pXY2hDZaPU81fg Q7LuhIdf6n+7QULlgx7WPdaKLMjx7QD+Aj1WdIb0S7NI8LMSNhihS7Ucmo3tcJm1KhyGpq 1jkA7b2TZ05PFmiGGyDNv5JYuDnPCTqjOJqfBcns0V10tM5AsayGs+XjOyXkFzIfivruwr HR+5AgWwXxST4fiRGg3b0LHf2Bk9ift0yW1VKMP4pWJygQZNy2FILtfaxUla0YcJMWZqnE WG5z13Bu9CCmGZ7afwsxTJRAzmye7fJCPwqwSknkx9UfMnkERyQwrHdiqun6Nq6V5s5etp +2wo4oGTGNGyLd5zG267ppyplJOIKF675bfn0kkr3mmRnC6O7cTPQGdNKM/OO6+cxZmagO gEsYvjBhyTT6aQz98SWdnydX1nV0T3mldg0rmgOIG+4rpHy/DJ7gkf2CZkBA
X-ME-Proxy: <xmx:035Baot-9aw0xTR15d03jDRxfrwgMvQ279UAnk433iNj5JiuhMlbnQ> <xmx:035Balq5pJo_L9a0sYAR5kHwH8YKNJSROyKAVl1kbIio2KtWCnl15w> <xmx:035BalkQfOl2nvI0zsHTqzryYpQwpJvHD_s26XDBX2pOt_-KwmuLPg> <xmx:035BapxpVQqHuPwLyMhTTLq9gnMI4Ee_VHR01_T-FTe0TtwFGQIFcA> <xmx:035BarVHsAOmy1UEi7hN5LOZLi2tIWNV57TLnPF68brN1zfSy6_9ZgTg>
Feedback-ID: i6d3949ed:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 28 Jun 2026 16:06:43 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-FC136DB2-3973-428B-B485-A77DE9436177"
Content-Transfer-Encoding: 7bit
From: Nadim Kobeissi <nadim@symbolic.software>
Mime-Version: 1.0 (1.0)
Date: Sun, 28 Jun 2026 22:06:41 +0200
Message-Id: <27E771D2-D243-49F2-8AEB-BA7EC4658CC8@symbolic.software>
References: <ECF71D53-F28B-41B5-96FA-A800ADB0C729@sn3rd.com>
In-Reply-To: <ECF71D53-F28B-41B5-96FA-A800ADB0C729@sn3rd.com>
To: Sean Turner <sean@sn3rd.com>
X-Mailer: iPhone Mail (23F77)
Message-ID-Hash: M2N56HP7DDPWARW64EJLJOMJLWEDOACW
X-Message-ID-Hash: M2N56HP7DDPWARW64EJLJOMJLWEDOACW
X-MailFrom: nadim@symbolic.software
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/h-aRkNhXva1Ts-sLYiBmY-lfWQA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Sean,

I apologize, I only saw your emails after I sent my most recent one. I wrote it on my phone while walking my dog and this didn’t read the thread in its entirety until after I had sent it. I did not mean to ignore your recommendations.

Nadim Kobeissi
Symbolic Software • https://symbolic.software

> On 28 Jun 2026, at 9:46 PM, Sean Turner <sean@sn3rd.com> wrote:
> 
> AGAIN!!!!
> 
> Let’s stick to the consensus call, "I support" or do "I do not support" as was requested in the email that began this thread.
> 
> I will, again, repeat the reminder, about conduct:
> 
> Conduct Reminder: Given the heated nature of previous discussions on this topic, participants are strongly reminded to adhere to the IETF Code of Conduct (BCP 54) and the TLS WG's Mail List Procedures. Keep feedback professional, technical, and focused on the document's text.
> 
> For the TLS Chairs,
> spt
> 
>> On Jun 28, 2026, at 15:42, Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> wrote:
>> 
>> Hi D. J. Bernstein,
>> 
>> I'd be happy if you could show me a concrete attack on the integration of ML-KEM in TLS that I can double-check in ProVerif, rather than referring to older attacks or complaining about absence of details in ProVerif. I'll try my best to put in all the details in ProVerif that you want. Please keep your email response focused on exactly that rather than what chairs or others did. Thank you!
>> 
>> If you don't show me a concrete attack, I'll not respond because there is no actionable gap for us to model since the combination of symbolic and computational proof provides sufficient coverage.
>> 
>> 
>> 
>> 
>> On 28.06.26 19:46, D. J. Bernstein wrote:
>>> Muhammad Usama Sardar writes:
>>>> D. J. Bernstein wrote:
>>>>> The TLS WG chairs write:
>>>>>> Significant developments have occurred both within this document and
>>>>>> in the broader TLS ecosystem to address the concerns raised in the
>>>>>> last WGLC.
>>>>> False.
>>>> If you believe Nadim's formal analysis in ProVerif is not a significant
>>>> development
>>> My comments have nothing to do with the judgment call of what qualifies
>>> as "significant".
>> Then, I kindly ask you not to use the words like "sideshow" for someone's substantial technical concern. As John says, key reuse is a fundamental security concern.
>>>> John is surely not the only one. Key reuse was one of my *major*
>>>> concerns.
>>> Sorry if I missed some previous text (but then why don't you provide a
>>> quote?).
>> Because I thought WG participants might trust me that I am not lying. 
>> 
>> Anyway, here you go from Thu, 27 Nov 2025 11:18:11 -0800 (PST) according to archives [0]:
>> 
>> I have no opinion from PQ perspective but from 
>> traditional crypto perspective, I agree with your concern on key reuse. 
>> Intuitively, I would assume the same problems would hold in pure PQ but 
>> there may be subtleties.
>> 
>> Anything else I can do for you to assure you that John was not the only one objecting about key reuse? or to assure you that key reuse was a technical concern that I have had for quite a long time?
>> 
>> Back then, I was -- unfortunately -- not able to formally prove it and hence, I did not emphasize it a lot. Nevertheless, my belief was that it is a weakness that can be exploited together with other weaknesses. And I believe that is typically what happens in reality too. I think there is rarely a single weakness in real-world compromises. It's often a combination of weaknesses which lead to bigger vulnerabilities.
>> 
>>>> AFAIU, most of the 25 objecters
>>>> from the last WGLC now seem to be satisfied with the formal proof. I've seen
>>>> only 4-5 of those still objecting. All other objecters so far are new
>>> Your numbers are not backed by URLs or other evidence; I have no idea
>>> why you think excluding "new" objectors is justified;
>> I'm not excluding any one at all. I'm just saying that based on the information we had from last WGLC objectors, we tried to get confirmation on all sides as far as we could: both symbolic and computational proofs.
>> 
>> We requested feedback on formal analysis or what else we can do to satisfy the needs of other objectors. Nobody showed up. And hence, WGLC is well-justified to understand what technical work needs to be done -- or alternatively whether spending any further WG energy on this draft is worth it.
>> 
>> Best,
>> 
>> -Usama
>> 
>> [0] https://mailarchive.ietf.org/arch/msg/tls/cGVWArNZO-N_r-5u5K8lBoVUitY/
>> 
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
> 
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org