IETF Logo Mail Archive

[TLS] Re: [Last-Call] Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

Falko Strenzke <falko.strenzke@mtg.de> Wed, 03 June 2026 10:28 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AFEB1F9FA144; Wed, 3 Jun 2026 03:28:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780482503; bh=fH7S4Nyy+v1o0B6MkVoA9jjGG8/1xt0rbtggeKB8ANo=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=rUfFdvbG0y4VRGE+e/leytHYESmY/bqSkfnRXZqK9ndA6ePHug6gCMa5zfwybw4sF xFaUBpBraPEHgrntBm78nKubzWQF4H6nOa6Q1HShGQMVvDyJIJk4PPOXSJ8xJm4WkL R6wAXVK/mz8q4+MintqLSn49p6OSNPu0HUtyigBk=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wx3iVs4Lkya8; Wed, 3 Jun 2026 03:28:21 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9A076F9FA0C7; Wed, 3 Jun 2026 03:28:06 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.2/8.18.2) with ESMTPS id 653ARvhs019142 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Wed, 3 Jun 2026 12:27:57 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1780482477; bh=fH7S4Nyy+v1o0B6MkVoA9jjGG8/1xt0rbtggeKB8ANo=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=Uthxp/E57L7drX4OZzEr3FsD6Y/dIpMrPzS7Ej8pEsPDIh60U6k7tsicuCGORlIP8 y5unbSIU3G6c2zJ+0ipE/UCXlsnFOMMcYSu7kftTwmjs2qWAULEbbhOs4OPReyb0bL 5zgDPftzBikrp7KA1d5CqA+XpARtdGdzK+8VbbptXRjHjt7CTRJUnMd314p0xrYBNV 7l5wTuFa5++iGp5EA/KlG/QwzHp/SmMYamVkwNSrHqiTlCI8USs++XMO/wuMTLI7e5 jOM/481Khj9rrVmxtkgvwn3eU8Q5xQrZPExUxd7hzZm6/scHH7HVT9rS0ayBF8vJsA nZn535No1KJ6w==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.2/8.18.2) with ESMTPS id 653ARtCn026452 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Wed, 3 Jun 2026 12:27:55 +0200
Message-ID: <238150ee-3053-475b-8f44-7693b72c1710@mtg.de>
Date: Wed, 03 Jun 2026 12:27:55 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Loganaden Velvindron <loganaden@gmail.com>
References: <AS4PR07MB882587992ABF4996EF4759ED89132@AS4PR07MB8825.eurprd07.prod.outlook.com>
Content-Language: en-GB
From: Falko Strenzke <falko.strenzke@mtg.de>
Organization: MTG AG
In-Reply-To: <AS4PR07MB882587992ABF4996EF4759ED89132@AS4PR07MB8825.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms050103040809050609090103"
Message-ID-Hash: YJJEOEDQZVXRKU3TBBUVA7PXT4DHVRPI
X-Message-ID-Hash: YJJEOEDQZVXRKU3TBBUVA7PXT4DHVRPI
X-MailFrom: falko.strenzke@mtg.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>, IETF TLS <tls@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [Last-Call] Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hPQFZ05nkyRUA2Y-zoSk9gLfyBM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Am 03.06.26 um 10:17 schrieb John Mattsson:
> Loganaden Velvindron wrote:
> >What are the security issues you see in this pr ?
> >_https://github.com/djmdjm/openssh-wip/pull/64_ 
> <https://github.com/djmdjm/openssh-wip/pull/64>
>
> The PR is based on draft-ietf-lamps-pq-composite-sigs [1]. As I wrote 
> previously:
>
> All modern signature schemes (RSA-PSS, EdDSA, LMS, XMSS, ML-DSA, 
> SLH-DSA, FN-DSA) avoid trivial attacks on strong unforgeability and 
> are widely believed to provide a high level of SUF-CMA security [2]. 
> The transition to PQC provides an excellent opportunity to phase out 
> signatures with trivial attacks on strong unforgeability. Malleable 
> signatures have enabled serious attacks in the past [3] and will 
> likely do so again if they continue to be used.
>
> Malleable signatures can undermine system integrity, auditability, and 
> provenance, and, in the worst case, may even enable replay attacks, 
> see [4]. This is also true for certificates. There is a significant 
> gap between what people think a certificate fingerprint represents and 
> what cryptography actually guarantees when a certificate is signed 
> with a malleable signature algorithm. With such signature algorithms, 
> a CA does not issue a single certificate; instead, it issues a set of 
> valid certificates, each with its own fingerprint.
>
As I pointed out before on this list, irrespectively of the correctness 
of this point, it is not relevant to the draft we are discussing here. 
ML-DSA-composite X.509 CA certificates are already standardised once 
draft-ietf-lamps-pq-composite-sigs becomes an RFC. The only relevant 
point in the discussion at hand can be whether TLS end-entity 
certificates with ML-DSA-composite keys introduce problems. Since EE 
certificates don't sign other certificates, I wonder what exactly you 
are referring to when you write about mismatching fingerprints. You 
should point out where in the TLS protocol such malleable fingerprints 
occur and why they are a problem, as this is the only point where the 
composite signatures performed by TLS EE certificates will occur.

Falko

> This mismatch has practical consequences. Logging, SIEM, and threat 
> intelligence systems often record events such as “Observed certificate 
> fingerprint X connecting to service Y,” implicitly treating the 
> fingerprint as a stable identifier. Similarly, some firewall 
> blocklists operate on fingerprints (e.g., “Block fingerprint X”), see 
> e.g., [5], and incident response workflows often rely on fingerprints 
> as unique identifiers when searching for the attacker across datasets. 
> In the presence of only EUF-CMA guarantees, these assumptions break 
> down, as the same underlying certificate can appear under many 
> fingerprints. Nation-state attackers are known to deliberately confuse 
> logging systems, evade signature-based detection, and introduce 
> ambiguity into forensic analysis, and they can be expected to exploit 
> signature malleability for these purposes as well.
>
>
> Some poorly designed composite signature constructions such as [1] not 
> only significantly reduce the security properties of ML‑DSA by 
> inheriting the malleability of ECDSA, but also introduce additional 
> malleability weaknesses. The composites in [1] also significantly 
> weaken the security of ML-DSA by failing to preserve its 
> beyond-unforgeability (BUFF) properties [6–7]. As shown in [8], 
> existential unforgeability alone does not capture the guarantees 
> required by real-world protocols, and the lack of beyond 
> unforgeability (BUFF) properties in traditional signature schemes has 
> enabled concrete attacks on deployed systems; see [6–7]. We note that 
> there exist signature combiners that preserve both SUF-CMA and BUFF 
> properties [9].
>
> [1] Composite ML-DSA for use in X.509 Public Key Infrastructure
>
> _https://datatracker.ietf.org/doc/html/draft-ietf-lamps-pq-composite-sigs_ 
> <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-pq-composite-sigs>
>
> [2] Digital signature schemes with strong existential unforgeability
>
> _https://pmc.ncbi.nlm.nih.gov/articles/PMC9925878/_ 
> <https://pmc.ncbi.nlm.nih.gov/articles/PMC9925878/>
>
> [3] Bitcoin Transaction Malleability and MtGox
>
> _https://link.springer.com/chapter/10.1007/978-3-319-11212-1_18_ 
> <https://link.springer.com/chapter/10.1007/978-3-319-11212-1_18>
>
> [4] OWASP, Signature Malleability
> _https://scs.owasp.org/SCWE/SCSVS-CRYPTO/SCWE-054/_ 
> <https://scs.owasp.org/SCWE/SCSVS-CRYPTO/SCWE-054/>
>
> [5] Secure Firewall - Blacklisted SSL Certificate Fingerprint
> _https://research.splunk.com/network/c43f7b49-2dab-4e76-892e-7f971c2f20f1/_ 
> <https://research.splunk.com/network/c43f7b49-2dab-4e76-892e-7f971c2f20f1/>
>
> [6] BUFFing signature schemes beyond unforgeability and the case of 
> post-quantum signatures
>
> _https://ieeexplore.ieee.org/document/9519420_ 
> <https://ieeexplore.ieee.org/document/9519420>
>
> [7] A Framework for Advanced Signature Notions
>
> _https://eprint.iacr.org/2025/960.pdf_ 
> <https://eprint.iacr.org/2025/960.pdf>
>
> [8] Seems Legit: Automated Analysis of Subtle Attacks on Protocols 
> that Use Signatures
>
> _https://eprint.iacr.org/2019/779.pdf_ 
> <https://eprint.iacr.org/2019/779.pdf>
>
> [9] Bird of Prey: Practical Signature Combiners Preserving Strong 
> Unforgeability
>
> _https://eprint.iacr.org/2025/1844.pdf_ 
> <https://eprint.iacr.org/2025/1844.pdf>
>
> ---
>
> Some comments on the PR conversation
>
> >Non-canonical S is also accepted
>
> 1. This implies that the Ed25519 implementation is based on old code 
> not compliant with RFC 8032 and retains known vulnerabilities. 
> Contrary to claims made on the TLS list, Ed25519 has not been "stable 
> since 2010." The original Ed25519 specification was vulnerable to 
> malleability attacks, and this vulnerability were addressed by CFRG in 
> RFC 8032 in 2017. The 2010 version should not be used.
>
> 2. Simply fixing this bug and bringing the implementation into 
> conformance with RFC 8032 does not address the malleability issues. 
> The new signature algorithms defined in 
> draft-ietf-lamps-pq-composite-sigs introduce a new malleability 
> vulnerability.
>
> >I don't think this matters for OpenSSH's use case since you aren't 
> building a cryptocurrency
>
> >yeah, we haven't cared about SUF-CMA previously because (like you said) 
> it's totally irrelevant to SSH
>
>
> That is incorrect. SSH signatures are general-purpose and are used in 
> a wide range of contexts outside of the SSH protocol. The new 
> algorithms defined in draft-ietf-lamps-pq-composite-sigs introduce a 
> malleability attack that is not present in EdDSA or ML-DSA, and they 
> eliminate the BUFF properties provided by ML-DSA. Both signature 
> malleability and the absence of BUFF properties have been the root 
> cause of serious attacks in the past.
>
> > but that crowd does incredibly dumb things with cryptography so I 
> can't entirely rule out downstream impact to them.
>
> I find this quite arrogant. Signatures should not be malleable, and no 
> standardized signature schemes are, except ECDSA, which was designed 
> by the NSA. Stating that people who do not except signatures to be 
> malleable are "incredibly dumb" is like saying that Bernstein is 
> incredibly dumb for not understanding how to use SHA-2 securely in 
> SPHINCS+. If anything is incredibly dumb, it is to standardize, 
> implement, and deploy new malleable signatures.
>
> ---
>
> I find the idea that ML-DSA is an NSA backdoor to be absurd, but if 
> that conspiracy theory is in any way a driving factor for this PR, it 
> is illogical to use Ed25519, whose security ultimately depends on 
> SHA-2, a hash function designed by the NSA. ML-DSA and SHA-3 were 
> primarily designed by European cryptographers.
>
> ---
>
> I am starting to think that /draft-ietf-lamps-pq-composite-sigs/ [1] 
> is one of the worst things to come out of the IETF in a very long time:
>
> - It is very poorly designed. It removes the BUFF properties of ML-DSA 
> and introduces a new malleability weakness. One would think the reason 
> to wait for FIPS 204 was to ensure that all security properties of 
> ML-DSA were preserved, but this is not the case. Composite signatures 
> are new cryptographic constructions and should be designed within CFRG.
>
> - The design goals were not security. The goal is shady business 
> practices of selling FIPS-validated RSA and ECDSA as 
> “quantum-resistant.” You can slap on ML-DSA reference code from 2017 
> and suddenly you have a “FIPS-validated” ML-DSA hybrid.
>
> - It is now the biggest obstacle to the urgent migration of roots of 
> trust in PKI and long-lived devices. If standalone ML-DSA is not 
> trusted, standalone SLH-DSA by Bernstein and others is an excellent 
> alternative for roots of trust.
>
> - It is a Trojan horse for well-designed composite and non-composite 
> hybrid schemes that could actually be deployed. It is consuming time 
> that could be spent on other approaches, while being so poorly 
> designed that it cannot be deployed. Ericsson will not support [1] in 
> any of our libraries, products, or services. We will use non-composite 
> hybrids signatures.
>
> Cheers,
>
> John Preuß Mattsson
>
>
> _______________________________________________
> TLS mailing list --tls@ietf.org
> To unsubscribe send an email totls-leave@ietf.org
-- 

*MTG AG*
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

v2.46.0 | Report a Bug | By Email | System Status