[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

Jacob Appelbaum <jacob@appelbaum.net> Tue, 28 April 2026 16:37 UTC

Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 40A2EE4E7125 for <tls@mail2.ietf.org>; Tue, 28 Apr 2026 09:37:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777394274; bh=/D0QgoCAfRvviy750PqHXOxZ5mBjjDYR2mbhUyDIhvE=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=qL+VGvmUE+9R6XYiiMeMASv/oUj5xatLIdF7iuggwl3NTV3C8G1PZwWx+v05X4wI9 Nn6Dw99jMZ1M+VCrLLe9bR21mF/5vCpdc8nvkZBwCVt1TrlchcFL8wwjuQIAWZSvwW 3gxpmRdStUJVXYY2EfWJ/tmfrAinyOhw6qPGTuuY=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=appelbaum.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-CMnGa6fgpR for <tls@mail2.ietf.org>; Tue, 28 Apr 2026 09:37:53 -0700 (PDT)
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9DFDBE4E70FF for <tls@ietf.org>; Tue, 28 Apr 2026 09:37:53 -0700 (PDT)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 6DBAE3EC43; Tue, 28 Apr 2026 16:37:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=appelbaum.net; s=gm1; t=1777394265; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=Yuz+w3c7/fNZloJaiB3XnBNZ257emgiJXx9BuaAuVEs=; b=lEfQxo9cxBr1mPqEa3tbwtvbWmXiURuZw2ac624i2uRXw6J6pSpM2BNo9sim+uU+29k7Rf A6rbyeRAvk00iKDSvbtMkWO5aeohy82787HSARzuLf0Y7pyBbUAUUvrGnLg1tIR62r0hrK tgW9Z64toKDDYUiHLE/EwfZEaMlUrxsFP46bV9Pjrb8cC/oTSZvnNxpfWOP70XP+aQB59s KvLAgazwi/fuRwR+yhuGK3UAGNgwQcy9d5S+sfX4qKTC/s40vqzeKIeSIZuGdZ6huhZwIE AqkkyXkyuHvya2EZlR7so9PsXg4BVk4YDJnUlUkd3F5S45ZQ1huhaQJ0sEcV5w==
Message-ID: <cc5e4415-7752-4c8c-a50f-62db47a0d6dc@appelbaum.net>
Date: Tue, 28 Apr 2026 16:11:13 +0200
MIME-Version: 1.0
To: Bas Westerbaan <bas@cloudflare.com>
References: <16CF0FDA-7263-461A-9F2B-D37DBEAF5DD9@sn3rd.com> <d1e64f4d-13ba-4186-85d5-3dff028b62fb@appelbaum.net> <CAMjbhoXvf0PCXiuN2+-G-MSw6-C4vq3eHmjz+GF4dx2F=x-tfw@mail.gmail.com> <032e327f-57b2-428c-a9ee-99c004358e86@appelbaum.net> <CAMjbhoURLc1qqjoCXdELKQsYC9ijh_EVgBaBqx3nCsccBNFxoA@mail.gmail.com> <a486329e-4ddb-470d-8a73-fb395e3d47e6@appelbaum.net> <CAMjbhoW0idai0+_e24BX9t5sr6prOW9hXRB+YYjWBSuRZUxp3w@mail.gmail.com> <87961683-02a6-42a2-817f-b91931c79996@appelbaum.net> <CAMjbhoW-f1NtgFRi2RAOfEwhDX8QVZF7zgBcZsbC81HLmbK8xw@mail.gmail.com>
Content-Language: en-US
From: Jacob Appelbaum <jacob@appelbaum.net>
Autocrypt: addr=jacob@appelbaum.net; keydata= xsFNBFXlpJ8BEACnFzfarolZLsaP8GCk/ytNIUk6+GstAAVqQdHprkx3TfZl5/tUQC7a9oz/ +QD93U2Zq0RVj6/fAiZeV8X0TadVDcYo2KNk693EC1qwJwGMOMiYKEqAS1PuNSzQqvtyqlm9 0TrGL2qVKqIGHP1CXdV5QAlqqvpG5AVaH49H+cLmzkGdnz8Dp89zcmQ43EPvBxnHSq2P3D8+ aMgICQmzjxnqzX4X1w45EqNIv3STmTDS5HxhISu8KpRuWXvAm1XItCQGzJAq/ybEW60NpH4q yZsPQ74w6K3kECwEwUrO3yCScKuWFFs2qIdvditoWRIZQSErZi0VhMMoxx1n0y6dYffNvds7 c7j5n23KZ++8pZjqdql/cFez7o7RBn+tiTO5jJCFkhgDK51jQxec0d0qjeQvxCaafsM0q8qJ n8icW16yzOg5Ace6Hg+l+0DicqiwYYW1807xd+BGT4YqagdbtiB7UPcfEzAo84QlqYjqcKqT 3tKFf6SuetGffEW9f3XP9y19IqpNNRJDdWDrz44GeH86j/XE01buJE4evjvFaoUAGUYoB3Ul ZjtKj9bm1NpeKBmkgD1pqR4cWFf9tRJf31ztgd6PZBzuZ2fJkXShbz0wIVL+wDAX4X/fyUib OO1tgf9c+BYhRn8LTA9JtfAdm1YnscSK8pjLiD4u/Hbqk0H0WwARAQABzSVKYWNvYiBBcHBl bGJhdW0gPGphY29iQGFwcGVsYmF1bS5uZXQ+wsGIBBMBCgAyFiEE4R/M4wW5yEZ5Oweu2aEf fpkhXaEFAlXlpJ8CGwMCCwkCFQoFFgIDAQACHgECF4AACgkQ2aEffpkhXaHVCBAAhIJNeG8v q9SdwSmolgv4cqBOXYxuiH1GkZv4tbUHJfmg+msXFXY77Wd3G48ltM4srqCmfwGCGu2Y4Ggu iU3XQPwyQ7KU49WFU5s8ZFq0m/pt2chIlI3uvenvsxvS1GkljOrhpk/flkdtdqDb60GZizTZ JVnXMNuDmvTr97ltQ3q9vrp+tZv/+I02uhsWQGTQrSdCjOUYNtO3C4S/GSMDZ7Jzf6X89s1z /O7os4YCZx3qVxR9IsLqkFi/TyVsROOiIzea0oPifaO94Cg8kkEc9eYLfJwfIW7A67SLbiTd U4tkxT7o0SgAc0aHB24xZKkoLSVAXW/GyJlq/K8aB5Z3RYWibe4i4aCa/uJDaZwACLapU5pp botaM+yisguEZo/t10KGbkamwPHeaGi/UPLxUjR3TpeGWF31/xRe80vtVxaBCOy1+6W88UBH 3hFwb4mnH1jmZUKkjX0xAdzOf9ry7B/JLTsOSEoatj2IrmfNhM+66x9buLq8nPDbx4c3gfvd qcMbvkJDzGrGIF+dfhaGL42vBk69wziS6VL9eUZG6cDqL3yd+UqioFELV3n0I8NJR3QeOVkv nibez4PfpYvgvFiEf+0sPlUnEN6axrUdZNtKSm1+Lw7NSXVWwMHtNE9jn7fXaWIZ6thgHaoA ES5uVLQYwkpcHQ4UcUMuGGun2M7OwU0EVeWknwEQAL1jVf/pnmjEHYW7EGbhHy5C8lALekKt ubPT9/OPwY1rYXgjPYC9PMw0gTVpYVxotBRIY3NCay9Jsm5QtMX3EnkCP0dEv8EWU+o2WlEY JtwQFC/TQbwaKBaMgHWpUJFD07KdKMp/92CUMOMHEqToxv+TI+hidbRMRt/McYf0V9mrzE+5 KmQESfTSXPtV32LyslOMpeDIOa/XS816H2jtw4Mzb+VF0EdlqCvltovUIr0ghh4HSaOVQi8t bjax2F8NKM87yIhszsdneiDIH7Rk9ZznWfC5IMkLWCejPh1EZlU3zNzv+FFdDREaQ54SezE6 txW86UaBvwWUOAdgdYw6cDXBeAYfn90O6v96WxLUthfomAHb7kjTSG4ngOcoiOq/i/wOFryR G07bhL+WYA63hvqIM89DHfmhWhUsOkiUDbDK9xOABGQ7+UJ39r4IaNa4IUn/hSmyevncyJYJ MdjCDSruqmY4V34d3Q2cnAy+1jf8Cm4opOYdzAtuHNfjWLbXksO2z4mncee4NdKlpvD9rZCD 6iSEsdRV5UuiP8oBEi/4q1RNn8abCmyWUQXqdo3vnkV3Bgl8GnuS6GGEzVJq3pC8CqjZ97V/ +YHjgPcMUL2RCc9/QRfR71BjYsllLwlZtl85zYcbNORDUzVOe1Qg+k8DygcDPAuvFwLzLn1+ MGrZABEBAAHCwXYEGAEKACAWIQThH8zjBbnIRnk7B67ZoR9+mSFdoQUCVeWknwIbDAAKCRDZ oR9+mSFdoaX7D/49q6ALUSfwFyanXeX4YLfndeTCJd7AiGGlYVFzESkk4DUEy68Y8e7gYs4B 2YDpRzDgJrx2A61u7oSHv0b4hzwUJ41TyBbE4D2hR8o9qnAX2jpwWPinjCInbinUGkpfSZxn b7Yn6/p2kw5JeWGFlBJEyz3/g5ebq0qrx/OdpS9b8Jxlde3Le0jU+753BHV0ef3JfCTH6BuM 2T8Cv64n7vkhZWqUgnB3rEXIzq+xbYrpLJTeapwSr3k+xjI5YpmiTjUD8uCwzSJoq8x5YnXV CjA7TNGvhANFu1j5ElnSf4I6mje3gL+MK8Fw75SUZqdTL73rXstP2HqzDIV+19w8JA25h/Tm CcCYu717hq0kJVk2wiFbmhJHj6kb0tgn7xCCw9xe4g4T9K5YL4UiSpL+zxIb1BLuaYoYtPXP RcX0NkBu+N38Tvpng6HrBGFHQzTv4GB60eDm0A5+zbQe4RFmR5G1BdBpeYauNbtA9gAhuBZy DJPEu/qlaj3Ptk8MZiLFeHTZaBj9O1W8NuqK88k8KYkV/gd1Vni55bMee4CAhfGnHedDySGf mzbNFr/QAYmT3flZg7xnVJWSF904U8QAN1lejrC2dsj6TcaTHIzf9T3SZQDvc6e2ocYu6VeS Ctn4q1Sm/1ctbXEKhP8Ye1RRRwO0GvxJACvuHfoDqeZI98haZw==
In-Reply-To: <CAMjbhoW-f1NtgFRi2RAOfEwhDX8QVZF7zgBcZsbC81HLmbK8xw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-GND-Sasl: jacob@appelbaum.net
X-GND-Cause: dmFkZTEtLDq0WN7LY9U5gitDzBP9iJHcbI39hNpKVZAQ+5LJ6sbTJ0gDhu/ZeY79S4bQKZzoVUhqCy2d7ykWbiTd19TFNY83m5eVECo0KThaaWKqNlfIYp5vpV0tmeMBO7FRv+8I4x6CY+iNUIsZuaMgzAEyCxYDOudxjXEhF3amH5rcoZKcO3cEqzbUUP2nXqGbkvKa0IFhTBpv81bkSFUx5iPLcg/3cL5aEZ5FACZmV3ZGs+o+Njyae45ZdGhMAMgx2V8F0JRgG7KPoP9gwbLDeDRKWrl4wVTVTICgs9mkUKeQmk/pt08O9nH43PEdbaaTMn5oj5cSC5WSBPHXpBOtki8OJqaurB1IEvticUO9MG4gdjzVd1bgUeiFSDCk4Hc8KlojBmzLH+4C0FX4ZJPJF1C19jnm08LjlsT7jRwGrKvRxo2jt7DIVw+Neo3JlRhyFiMC7lFMttVZAVChV73EltsSd86dOPi9BF31oOjU4MjF3epHm7tSF/wan8A4P9As2HPVZmkCS2a+k8/z5Wk0J0QtIo0fLPLFPp1edAnh44n1/Y0QtX+kyX225zL6gOvO+L+od+0KI1qQgr0YDuAVBRm+G8imeUgu5G5/UHIEGOaMc1eV066ka1rGu7ILg+GXvcHOZ6QO/PwB72DH86JqI9/WL2F8fLPBYO9nWoy8PFbz9g
X-GND-State: clean
X-GND-Score: 0
Message-ID-Hash: NOOORFO343N2UTQUJ4IGP3AXNWEBILMA
X-Message-ID-Hash: NOOORFO343N2UTQUJ4IGP3AXNWEBILMA
X-MailFrom: jacob@appelbaum.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nLM4f_wuKsOOY5kt96eRFZkIHwc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Bas,

On 4/28/26 15:20, Bas Westerbaan wrote:
>> If that is still wrong,
> 
> 
> Why do we use server certificates in TLS? To prevent impersonation of the
> server. If you never talk to the intended server, then it doesn't matter
> which certificates your server has installed. To wit: your server might not
> have any quantum vulnerable certificates installed, but if a visitor
> accepts a quantum vulnerable root, then any quantum attacker (come Q-day)
> can impersonate your server.

Your example makes sense to me. The same basic reasoning applies to a 
root where the new PQ signatures are broken by a regular computer before 
Q-day. Both attacks may apply but with one of them the attacker may not 
require a quantum computer. Don't we want to stop _both_ kinds of 
attackers? Why shouldn't this tension be clearly documented in the 
security considerations of the draft?

I take that as you agreeing that my summary of the TLS protocol was 
otherwise correct and that I did not misunderstand TLS?

We obviously have a disagreement of scope rather than a misunderstanding 
of the protocol steps. The disconnect seems to be a matter of a narrower 
vs a wider perspective. My view remains that a client in the very near 
future should not accept Rad in place of Trad, only PQ/T as an addition 
to the Trad ECC cryptography. Today many only accept Trad ECC, and 
ideally soon we should see PQ/T cryptography all the way up to the root.

The draft could set that as the baseline because it is the safest option 
that covers the largest number of attacks. I understood that you agreed 
on the list about hybrids but without documenting it in the draft. If 
you don't agree about hybrids then that is the core of the disagreement. 
If we are in agreement, the missing part is the analysis, and that 
agreed upon conclusion being added to the draft.

> 
> 
> I do not think the draft currently addresses the security-section point
> 
> I am raising: why a non-hybrid PQ signature is an acceptable
>> authentication baseline when hybrid/PQ-T constructions are the more
>> cautious baseline for key establishment and signatures. It is my
>> understanding that you generally agree and yet this agreement is not
>> reflected in the draft.
>>
> 
> This draft does not recommend ML-DSA-44 as a baseline. Feel free to suggest
> a wording you like better and that reaches rough consensus in this working
> group.
> 

Before and after the introduction of this draft, what then would be the 
baseline for PQ crypto in TLS in your view?

In any case, here's my first draft of a suggestion for the security 
considerations as you requested:

"The IETF is not recommending the use of post-quantum cryptography as 
defined in this document. The use of ML-DSA as with ML-KEM in TLS 
without a PQ/T or hybrid construction is a matter of serious contention 
as post-quantum cryptography alone does not provide the desired security 
offered by hybrid constructions. This document is MUST NOT be intended 
to be used as a transition document. This document MUST NOT be used to 
justify further post-quantum cryptography deployments or the use of 
post-quantum cryptography in non-hybrid constructions. ML-DSA alone as 
defined in this document MUST NOT be used at this time."

There are no protocol police, so people will do whatever they feel like 
doing. It will however clearly be their responsibility for making a 
risky decision. A lack of doing this earlier is why we see PQ rather 
than PQ/T being advanced using the previous risky advance as a basis for 
future risky advances. Most but not all of my concerns would be 
addressed by surfacing both the points of agreement and the points of 
disagreement to all readers. I don't feel strongly about the wording and 
I don't speak for others but I do think that this at least reflects many 
of the concerns raised.

Kind regards,
Jacob Appelbaum