Return-Path: X-Original-To: tls@mail2.ietf.org Delivered-To: tls@mail2.ietf.org Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 987E2FD364C2 for ; Mon, 8 Jun 2026 01:28:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780907285; bh=8QMNFnq0Aw+Xc84cBM1Km41UexoxhnkU5ikmpHtk6uE=; h=Date:From:To:Subject:Reply-To:References:In-Reply-To; b=GE+6In3X26XXJ4lGecpoGOujf0YceYf+omOwVkfPSOVsYTYjmDyIiEvkjgVbJv8Oj 6KZJzzjyCX7TXtZuFKaWojIz+QN+qKmeyhHsWar/cQoHpm83i+E4Nzrv0/XDc7FShL vUaaq69zn3S3XPJFC4f2dhOA8Wzy4bsetARmjRIs= X-Virus-Scanned: amavisd-new at ietf.org X-Spam-Flag: NO X-Spam-Score: -4.398 X-Spam-Level: X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCQ6UOxsKBta for ; Mon, 8 Jun 2026 01:28:05 -0700 (PDT) Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 69665FD3640D for ; Mon, 8 Jun 2026 01:28:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1780907273; h=date : from : to : subject : message-id : reply-to : references : mime-version : content-type : in-reply-to : content-transfer-encoding : from; bh=8QMNFnq0Aw+Xc84cBM1Km41UexoxhnkU5ikmpHtk6uE=; b=spFjKt9Knx+F3Naa1IVNM5Bdq0ZeL/xJ2YC45tqzH4tN9CnmgNCcRxBIPA6ZXwkOPUKeD 9xjlOv+6+lDbHdz6OpITHIWrdgmKbjFit2xEb0o2mDR9dpj1b8jCKfx8Ig7o/M5AStL58pw xsuviUL1B57U0JnapXwgRV7c8c6Cbbs= Received: by chardros.imrryr.org (Postfix, from userid 1000) id 99A4193559C; Mon, 08 Jun 2026 18:27:53 +1000 (AEST) Date: Mon, 8 Jun 2026 18:27:53 +1000 From: Viktor Dukhovni To: tls@ietf.org Message-ID: References: <154E6BD1-8F60-4E84-930D-751A812840C8@joseon.com> <8BF77F56-3E92-490A-A15B-ECA803E745D4@joseon.com> <874ijdv63m.fsf@josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <874ijdv63m.fsf@josefsson.org> Mail-Followup-To: Content-Transfer-Encoding: quoted-printable Message-ID-Hash: FR4KPWVW4U4QJTWZDEK6NJY2QPKY3CIG X-Message-ID-Hash: FR4KPWVW4U4QJTWZDEK6NJY2QPKY3CIG X-MailFrom: ietf-dane@dukhovni.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9rc6 Precedence: list Reply-To: tls@ietf.org Subject: =?utf-8?q?=5BTLS=5D_Re=3A_FATT_Chance=3A_On_the_Robustness_of_Standalone_and?= =?utf-8?q?_Hybrid_ML-KEM_Key_Exchange_in_TLS_1=2E3?= List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, Jun 08, 2026 at 09:33:49AM +0200, Simon Josefsson wrote: > The above argument is often repeated, but I think there are naunces tha= t > get lost when phrased like that. Security is rarely binary either or, > but more of a spectrum. All ECDSA keys in the world won't automaticall= y > be revealed on the first day a CRQC is demonstrated. People still run > RSA 1024 deployments (e.g., DNSSEC) In DNSSEC, ECDSA P-256 exceeds the deployment of RSA, and with RSA domains, the KSKs are most commonly 2048 bits, with RSA-1024 KSKs on only ~0.2% of signed domains. Yes, migration to PQC will take time. Today's numbers: - Algorithm frequencies: https://stats.dnssec-tools.org/#/?dnssec_param_tab=3D0 KSK Alg Domain count 13 (ECDSA P-256) | 14891802 8 (RSA SHA2-256) | 10202696 15 (Ed25519) | 576447 10 (RSA SHA2-512) | 179838 14 (ECDSA P-384) | 166224 7 (RSA SHA1 NSEC3) | 73316 5 (RSA SHA1) | 11194 - RSA KSK bit count frequencies: https://stats.dnssec-tools.org/#/?dnssec_param_tab=3D2 Bits Domain Count 2048 | 10008497 4096 | 405294 1024 | 24925 1280 | 17001 1536 | 5251 3072 | 2138 512 | 388 2024 | 148 2560 | 139 For ZSKs (that are much easier to rotate, if the operator bothers) RSA-1024 is dominant at ~90%. - RSA ZSK bit count frequencies: https://stats.dnssec-tools.org/#/?dnssec_param_tab=3D3 Bits Domain Count 1024 | 9039068 2048 | 1066378 4096 | 72116 1280 | 8079 3072 | 2753 512 | 433 1032 | 277 1536 | 271 2304 | 137 --=20 Viktor. =F0=9F=87=BA=F0=9F=87=A6 =D0=A1=D0=BB=D0=B0=D0=B2=D0=B0 =D0=A3= =D0=BA=D1=80=D0=B0=D1=97=D0=BD=D1=96!