IETF Logo Mail Archive

[TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM

Eric Rescorla <ekr@rtfm.com> Wed, 05 November 2025 11:40 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3B8E1835D78F for <tls@mail2.ietf.org>; Wed, 5 Nov 2025 03:40:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIf7-MsGPOAv for <tls@mail2.ietf.org>; Wed, 5 Nov 2025 03:40:01 -0800 (PST)
Received: from mail-yx1-xb12f.google.com (mail-yx1-xb12f.google.com [IPv6:2607:f8b0:4864:20::b12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 032FA835D77D for <tls@ietf.org>; Wed, 5 Nov 2025 03:40:01 -0800 (PST)
Received: by mail-yx1-xb12f.google.com with SMTP id 956f58d0204a3-63fd2b18c40so812653d50.0 for <tls@ietf.org>; Wed, 05 Nov 2025 03:40:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1762342794; x=1762947594; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4N2rTXcrVXY1+QuutbF36qSdIZekb4OraASTfX1Yvww=; b=JFBies3fXtKn9sChPQ5WWDuQKbEZ8ZZ7C7ryrEZDJjyq3u3iDjnK/KY3IkccT1PkWg 1gy9cJ1qRr0iNJHPuvWO1Q1GgyfLwiZunINMqiG8eDsNaOgxW4XQ9BE6OKltORaha10C SP/Zt7OPffbdt1eE3P6GJ5RVO/d0Wb5/SLXBAAFfa5Hc6/0alth9fZqZwWiNMCXS3GiT 73F0qzpvr8VA8ea6wjC4PEqNXLhblKKkNyGhT85WzAEDtwjwdzp9K7QomS5ljT0DUoGs Axxqta/OOgyEdFAWXWgZoa/XNJrND1wlJuNZiUv4YaSOcx3XxS+kalTejz3KMde80//m APeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762342794; x=1762947594; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4N2rTXcrVXY1+QuutbF36qSdIZekb4OraASTfX1Yvww=; b=KDYfId1gbKTSewv0jK3OT3v2SR+KmfjWED35Sz3hzHpj4tTHlyRJgNomEPky6q6Na5 HT50v6rOSFtcPN24yklcBVSy9EyCvr08baoupCkklJxjHzExQcZ3QFyJ/gXZDXGY2jsi gADMk9njK0mKE/6SwxeuhDWDe90oVT2vKP5AXvfvpcbQnDF7/6RafUe27/xREt+QcpmN ZoxVR4GRhlWm8hnKov2xlhs9bPbgV9of31H0+DQl8caE0a+MFPd/pkDc9jxM2MoJsvVD zH8O4JVgMeQItGyYMbipMMHXf0rLKAhaoqI+x3WtyShUStchqPJbrAgNSFpBcmePqUHJ QNJw==
X-Forwarded-Encrypted: i=1; AJvYcCVNS636u8Jwfy/7eG7Mu80yZsHpvlaMbHTK8x178N0QjHANR+duqWVVMeI4HIAtyI1VuLw=@ietf.org
X-Gm-Message-State: AOJu0YwguimrCTPyk7wrgUjfAZzKo7wSKJ4PQXGo+x9V1sCZ7urKMhEm 0mVWm5CkWlj3ND7eyuf5BJqLIz3DOqghNar/zGHY1DdzzCgBPEUce3ebiDyf236BwNWZbx2aFgs PGxZzT1+PAqy3lLXGYXN+jngrei/AjlVMQI9s2NSEfw==
X-Gm-Gg: ASbGncvzlYh/Dz0OQetjB92LaVjTxH7Ok7rBA88nyuA3RPmGoAJJViCFKEQH+7JCpPp WoQADt8rk/niqTzYoTq7C8zrsWdqecrUtrt580T9UifkTfdE2Fyfn+RD3Z1GsgqCJlt1Lxz0V/2 waJxKrE3/erh2OgBgriNmrFU4tyOYJYjJdq/0pO6fhhiXOoXiF1lKwftUvR+Zg+81JNB6umT8Dg lqdYaq+VQSUJ6uTy8kVup46BMUrnMbuFLgTsbWcgaEGH0ZW+ZLzWlhz5yx8ON1cot2OEdxU9y1M mNT3KZ69Z8WlywaZEWXFBe+6vig09J33KcwJoMxt+omDIRcCclqSGtwNi/FW3Mj+HkaiJ1vvby7 kSsvrIoLRmwQtcs3Kgsc+ekSnOQ9ypK1MOBv8K8p02h4+0rtiFC2r
X-Google-Smtp-Source: AGHT+IEiszZEsluNsAxsM+V+idySUxDGeRMv5f4/mSvnJRcXor6oGX4rTJCnzKln2Ah1oFLnVGAj1LKqmh30g2e1PkQ=
X-Received: by 2002:a05:690e:15d4:b0:63f:bca7:fff6 with SMTP id 956f58d0204a3-63fd3571aadmr1739722d50.36.1762342794216; Wed, 05 Nov 2025 03:39:54 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoDsX09SEUXr+Tq_m_5bs+erCLagSGMrAVohBRMqOkAtRQ@mail.gmail.com> <0bb9483f1bef258d67d543c300b1035fbca4680a.camel@aisec.fraunhofer.de>
In-Reply-To: <0bb9483f1bef258d67d543c300b1035fbca4680a.camel@aisec.fraunhofer.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 05 Nov 2025 03:39:18 -0800
X-Gm-Features: AWmQ_blw0wFYtFg0m-2q9Y-eByAhtQgpYCLVBQjzjGaUqaCDs57MD8YpBGao5X8
Message-ID: <CABcZeBPLdA18679B+DuyAXnF=6z44psWZLPBHj6WGqwjbso_jw@mail.gmail.com>
To: "Bellebaum, Thomas" <thomas.bellebaum=40aisec.fraunhofer.de@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038d6cc0642d7685e"
Message-ID-Hash: 5RCPWMSGXAT3RWMXWBRM2MKNDKM6FVV4
X-Message-ID-Hash: 5RCPWMSGXAT3RWMXWBRM2MKNDKM6FVV4
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working group last call for the deprecation experimental code points in ECDHE-ML-KEM
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mMIgwefPwuJlXhbbVJY4BMb0Mm0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Wed, Nov 5, 2025 at 12:18 AM Bellebaum, Thomas <thomas.bellebaum=
40aisec.fraunhofer.de@dmarc.ietf.org> wrote:

> > > added to the TLS registry as X25519Kyber768Draft00 (25497) and
> > > SecP256r1Kyber768Draft00 (25498). This document obsoletes these
> entries.
> > > IANA is instructed to modify the recommended field to 'D' and update
> the
> > > reference to this [ this RFC ].  The comment fields for 25497 and
> 25498 are
> > > updated to "obsoleted by [ this RFC ]"
>
> To be clear: We are not freeing the registry from these entries, but just
> warn against interop problems because everyone is supposed to use the new
> code points?
>

Yes. There's no meaningful way to free the registry from entries once
they've
been in use. All you can do is tell people not to use them.


So the WG rejects "D" as a means to warn against non-hybrids with some
> resoning that D is only "for weak cryptographic algorithms" [1], and would
> group it "with NULL ciphers, RC4, DES, EXPORT ciphers, MD5, etc" [2].
>

You're making the common mistake of attributing one argument offered by a
presenter with the views of the WG. The view of the WG as expressed by the
consensus call is to make it "D", but that doesn't mean that the WG endorses
(or doesn't endorse) that particular bullet point.


Normally I would welcome the above measures, but the picture it paints is
> that there are already some hybrids with "D" yet there are non-hybrids with
> "N", so "_surely_ hybrids are less safe", which (putting aside the
> important technical debate on this) is definitely not true for reasons of
> code point allocation.
>

I don't think it paints this picture.


I oppose this change until the comment fields are made more descriptive.
> Something like "Concluded experiment, refer to [ new equivalent code point
> ] for standard ML-KEM" would suffice.
>

I think this would be fine.

-Ekr

v2.35.0 | Report a Bug | By Email | System Status