[TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3

John Mattsson <john.mattsson@ericsson.com> Tue, 21 October 2025 16:58 UTC

From: John Mattsson <john.mattsson@ericsson.com>
To: Sophie Schmieg <sschmieg@google.com>, Alicja Kario <hkario=40redhat.com@dmarc.ietf.org>
Thread-Topic: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
Thread-Index: AQHcQqI8rAMuEcjeTEKSvfNg19fDfQ==
Date: Tue, 21 Oct 2025 16:52:38 +0000
Message-ID: <GVXPR07MB96787735077FCB838E00AC5789F2A@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HFV06TgXCbgqtmUTyIER4uSVddsXD1KhZRycA2bejRK0OcCM9TtVlvYAfpQX9cB9LAlTezCTppYHQBG9AYJyF9iMcYno1v8NZiygwswM57NhyWfxMJSEK+RRomSbnSQ/el7wYf83etzDZKkFh9e1z7ofIL0u6EjHQ/vwRTfaVTBqNFJInHe/WbBCF0BcZDtmL+QSgChRXrKe6Yt4XXSeYQUp31tA642HH0u2zRD7qjsYACPSfiCpC+F286HoEm85hGUtOC9qTGh1byNvrXzKYu7uGVgtjmnIkFP44V+slnC+uo6GG77RIxS2FjAM8yzwvUZ1jdc3IPaXE0x+uO/XVDbQWyNc5cjZ7z5avt9XAPXgA7gGkkHyjtDRQ0EcIcN9RgAKYCjCb1On9rvFPNnSNzkE9JhoJeDl47RB1YpBcLD3H99LQKFI8eQU5jOs2QLE4ih0O5QV+93SBhhtHLmPbGPOrKvYmRfl4N2u9HhSN8Znce8gIReEf9ehT9lRPlFcPruQaHY6Ye4pOyPp6EQJk6sdqcR8RSJ8CPJrvoioHD9xViBD5koj+Hw3503sXV15gqvntmeWUErAHB5y2xT6JvPaEUWnr5jCkK5xc2tn4grboEO4HiyU1PIgp05c3izEt4mBDT54UilhB/D13hIO8EloWLrorerWKtR/TbQEaJQqkNp8BbCQTibQFB5tLXJ7eFlB6a1wYgSsAOiUm68PCvt8BsnymZyg6wJCRYtuYIbNa747fNV7b79PjT4vUVVpFzzB49wjwvpjG2/4loBVew9adLHsohowbPHa8jJf80IJ6EJfyIpCp6AmLSt4xflM5IAPNJw7r/xAunIe6n2twxaCZdCO4g/t8I57R7qxJrkOGsnDd1p05pO/KaJ6d3XW2523X3Li5MzEBg3bYreSGtLMDMhulbtr4r5lkCTRo9Kn4gzd2AS2gAjd835Q8Y5bkV53K/aim+eyrZcLFOnMqoHIuDYWbCQWHY6a9RPYC3k/9ZFGkSQE3hLlWWwYISWjqs8Yot+lyYZDu9BDPTeOZv7epknD+JcTfO2WYLi2s54xGlOHNC3cfjKKxc/sDDdnP8fLjN6BlEu9Bftaho2HnqApNMsyCwcijb20bp/YAQYHFeoEqpFySNJBgtk6+lWcz2aGn64KSixZUIeZdRQbYpvOhbEB0M8+u3ZwAajvyfpRG7bnGBjdK7Kywjh5hw44b2G8MKCjK2quU1Culf+IYEa2RurcDxQQDXq6ryyU48JgP9bShDsIeHv5fvlCAB1BJfe0mVQM5ZnPmOZQ9PZg/lzM98GRcGOOLFFsmsNqU9S/NcNCgEGiXz9Jh3tSmp4wixUiIcIflb0z3BOzkiAGNa5I/d0nTHCrdipSVHimuSkZjNfw6vp8+I3HYXA99SLLmCW4W/ODEkELuk/iRlV2GTt6sfIHzzSChI5J2+NRIowWUYLqlBYu0rB+PIjztMy1kMcLc76GJF73ofAkEaFoiNhqFgmmT+IEQQlzVwqQ4hhdZy7vDeYrL6FKZKFv+aF9GzaGp+xcO2Bp6Ce+xSEwy0+wjsLGGJPJzJO6/yx6J2rTpNHd2j4wEwHO8CzPpCwxPfzPRYQjvuwvFgBa8af7F3aZmvH9hSMNDqf0F4Gpnio=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96787735077FCB838E00AC5789F2AGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS5PR07MB9675.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b0be19f0-7cbf-44e3-5d2a-08de10c23df7
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2025 16:52:38.2358 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: N+cfXkk+cCS2MGSh1AQmG+AR5AJ46lGnGfGjnBmo5vnB43APc5LTrmHD56eFSLdl8yTgNvZ0Wy0XthRlGgIEZlNf8kgxeMENhbsLblat8Ao=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6451
Message-ID-Hash: BRDO7AVY4HWGIQRR5DEJOTYCXCUSQY7O
X-Message-ID-Hash: BRDO7AVY4HWGIQRR5DEJOTYCXCUSQY7O
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jirDEpski_nnZPv7MKufLY0Qh68>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

>MTI is imho meaningless (there is no such thing as mandatory to implement, since no enforcement arm of IETF exists, thankfully, so implementers can just not implement something if they don't want to

The MTI flag has an effect in industries that believe in standard compliance. Both TLS and HTTPS are used in many other places than the Web. In the case of TLS, where the specifications are not continuously updated, MTI can have a negative effect on security. There are many TLS 1.2 implementations supporting TLS_RSA_WITH_AES_128_CBC_SHA (Static RSA key exchange, AES-CBC in MtE composition, and SHA-1) just because it is MTI in RFC 5246. 3GPP mandated AEAD and PFS in TLS 1.2 10 years ago, but there are still nodes supporting TLS_RSA_WITH_AES_128_CBC_SHA because of RFC 5246.

That said, I think we should leave MTI and Recommended discussion to later.

From: Sophie Schmieg <sschmieg@google.com>
Date: Monday, 20 October 2025 at 20:31
To: Alicja Kario <hkario=40redhat.com@dmarc.ietf.org>
Cc: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, tls@ietf.org <tls@ietf.org>
Subject: [TLS] Re: Working Group Last Call for Post-quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
Note that this is discussing the key agreement to begin with, so it would be ML-KEM in any case. And again, I have no strong preference on any of the flags, MTI is imho meaningless (there is no such thing as mandatory to implement, since no enforcement arm of IETF exists, thankfully, so implementers can just not implement something if they don't want to), and the RECOMMENDED flag is similarly undefined, as has been argued back and forth on the list. Let's just ship it, please :)

On Mon, Oct 20, 2025 at 10:14 AM Alicja Kario <hkario=40redhat.com@dmarc.ietf.org<mailto:40redhat.com@dmarc.ietf.org>> wrote:
On Monday, 20 October 2025 17:57:33 CEST, Simon Josefsson wrote:
> Alicja Kario <hkario=40redhat.com@dmarc.ietf.org<mailto:40redhat.com@dmarc.ietf.org>> writes:
>
>> If that classical part was good enough to be MTI and stay as
>> Recommended now, it should be good enough to be part of the hybrids
>> too.
>
> I disagree with that, if you imply that the P256 hybrid should be MTI.
>
> So if old DSA was still MTI we have to make DSA + ML-DSA MTI too?

We're not discussing if any of the hybrids should be mandatory to
implement.
And what is the purpose of discussing alternative timelines where DSA is
dominant?

> I think we should make decisions about P256+MLDSA based on today's
> knowledge about P256 and MLDSA (and the combiner) rather than having
> necessarily make decisions that use earlier decisions on P256 as a least
> common denominator (i.e., MTI).

And what did fundamentally change since the P-256 was marked as MTI and
both it and secp384r1 curve were marked as Recommended?
--
Regards,
Alicja Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com<http://www.cz.redhat.com>
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>

--

Sophie Schmieg | Information Security Engineer | ISE Crypto | sschmieg@google.com<mailto:sschmieg@google.com>

[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Paul Wouters
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Working Group Last Call for Post-quantum Hy… Joseph Salowey
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… David Adrian
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Bas Westerbaan
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Loganaden Velvindron
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… tirumal reddy
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Thom Wiggers
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… David Benjamin
[TLS] Re: [External⚠️] Re: Working Group Last Cal… Yaroslav Rosomakho
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Eric Rescorla
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: Working Group Last Call for Post-quantu… Martin Thomson
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Andrei Popov
[TLS] Re: [External] Re: Working Group Last Call … D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Filippo Valsorda
[TLS] Re: [External] Re: Working Group Last Call … Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: [External] Re: Working Group Last Call … John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Watson Ladd
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Yaroslav Rosomakho
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Dennis Jackson
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Stephen Farrell
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Birr-Pixton
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: [EXT] Re: [EXTERNAL] Re: Working Group … Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Christopher Patton
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Muhammad Usama Sardar
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Viktor Dukhovni
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Deirdre Connolly
[TLS] Re: [EXTERNAL] Re: Working Group Last Call … Rob Sayre
[TLS] Appeal Response to Rob Sayre - was Re: Re: … Paul Wouters
[TLS] Re: Appeal Response to Rob Sayre - was Re: … Rob Sayre
[TLS] Re: Working Group Last Call for Post-quantu… Salz, Rich
[TLS] Re: Working Group Last Call for Post-quantu… Blumenthal, Uri - 0553 - MITLL
[TLS] Re: Working Group Last Call for Post-quantu… D. J. Bernstein
[TLS] Re: Working Group Last Call for Post-quantu… Jan Schaumann
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… John Mattsson
[TLS] Re: Working Group Last Call for Post-quantu… Peter Gutmann
[TLS] Re: Working Group Last Call for Post-quantu… Yaakov Stein
[TLS] Re: Working Group Last Call for Post-quantu… Kampanakis, Panos
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Bellebaum, Thomas
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Robert Relyea
[TLS] Re: Working Group Last Call for Post-quantu… Kris Kwiatkowski
[TLS] Re: Working Group Last Call for Post-quantu… Eric Rescorla
[TLS] Re: Working Group Last Call for Post-quantu… Simon Josefsson
[TLS] Re: Working Group Last Call for Post-quantu… Sophie Schmieg
[TLS] Re: Working Group Last Call for Post-quantu… Alicja Kario
[TLS] Re: Working Group Last Call for Post-quantu… Joseph Salowey