IETF Logo Mail Archive

[TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 16 April 2025 02:06 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 661EA1CB514F for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 19:06:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RlQdulRD9QPy for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 19:06:41 -0700 (PDT)
Received: from DB3PR0202CU003.outbound.protection.outlook.com (mail-northeuropeazon11021084.outbound.protection.outlook.com [52.101.65.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1999A1CB5147 for <tls@ietf.org>; Tue, 15 Apr 2025 19:06:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Z6SXcbGlunQ9asgI+h5uBjMssZQBQrQjXxtmlK9oP6+72x6EP5+OCMAYJffUhChM1DHpvR9YuM3RgpEPIX/2QQTQ+WTqbpXXytYYJ2OBsdNtlRQ4CA6EzVjeKEZmreI2DA2/W0J5VnfuiHoDpUJy+NtRbKtRdLBD5mHYs2hZzikui6VVBwGwxdv1r2vwLbAg16dj2BPwLNjJxFdKbujLAcoZxRDxTw5txuz0rJ+RvrCANmysUM2NE7vEDaWr7B5tDvF3W/feIz9vM/EDnIN0tXv31X3wNYvsTLP0Fq1P+Kavf9SR/KPEQy5anRSfhabjkHQQH2VUHtituuUIT3riRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mlU/C0TlnNQrJz/Sh8Qbesc6vdH/e482qPKkHIPvEgY=; b=rB80YpPwGcLGyu6X4mEhG2qK28JDOLMNf4/iJ3PwfIiBNDHKr1OCUeaYlvmIkzHT+8OpZBB1ISBtZ2JxjtFMnPYYDHqROw/DB8lo+KaHgg+aVaOObO+oyu6f/TG+1rFf8i/lkps3CsqHfJUdMEXOhMwtyHB0EaAyOXICrgfBwgKELDRaJIOJURpN9E2B4Kz45LntimhS03rO6/cLw3IyJYXgalU1kABsNYsqY1hNRYv82Z9h/Sd8MCidespUyEBDUqI8UbEnKcQkhH8uIPCwoxiO/wd0zDcP0uLmXf+uhYbk0gYU/A+XxEzyYAD1p0jS/ZnVHvxikRSoZsiOSVeTkw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mlU/C0TlnNQrJz/Sh8Qbesc6vdH/e482qPKkHIPvEgY=; b=nXw80dEo9/iVb2ZBAiNcqT4sizYrm+R1gqwevoF9hNdqIfyzoIl121UG9cm3424Pm9wk/SOIPCPwNZ5lNNhLU3k3y4T1nu4TJ/TyuKe4EGjaaX9hhTZnMT+DVdkLcUPUvnAesFDD+JvE2yuuJ9rqZiIjTtnGEAX6b9paIL/Y1pXMtquWdEBlK1cryw9UyfXE2Qa0rgBuZqF8gvBSlDSGqcRvyzgZaq9/W06de67+qTwk9OB9PO+Ca9FP9VL2Y+7vKdhBEgx8YoLxZiH7PS/4afcMraUYB6ksd8K8sAL3ryjOH+nTB4c2uSDz3Ntb6QuJGbbW3ofzieDnfoe4XH4CVQ==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16) by AS2PR02MB8863.eurprd02.prod.outlook.com (2603:10a6:20b:556::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8632.27; Wed, 16 Apr 2025 02:06:38 +0000
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a]) by DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a%6]) with mapi id 15.20.8655.022; Wed, 16 Apr 2025 02:06:38 +0000
Message-ID: <73c3de1d-a9ee-43ee-8a71-ac1fe28ca467@cs.tcd.ie>
Date: Wed, 16 Apr 2025 03:06:34 +0100
User-Agent: Mozilla Thunderbird
To: "Salz, Rich" <rsalz@akamai.com>
References: <582917A1-F936-4A15-AE9D-342076605BE7@sn3rd.com> <F347DA21-EB06-4FBF-B357-871A0FFA8DB1@sn3rd.com> <Z/7lbXqb8QHruMS2@akamai.com> <05bd6aa6-4b41-4bdc-8875-d380924031cf@cs.tcd.ie> <IA1PR17MB6421EBF2FDA5B4395C92D6D3CDBD2@IA1PR17MB6421.namprd17.prod.outlook.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <IA1PR17MB6421EBF2FDA5B4395C92D6D3CDBD2@IA1PR17MB6421.namprd17.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------5VzLKIZPeVbyh70yXxi0Ca9z"
X-ClientProxiedBy: DU7PR01CA0020.eurprd01.prod.exchangelabs.com (2603:10a6:10:50f::25) To DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB8PR02MB5946:EE_|AS2PR02MB8863:EE_
X-MS-Office365-Filtering-Correlation-Id: 53bfe955-3609-459e-898d-08dd7c8b526b
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|10070799003;
X-Microsoft-Antispam-Message-Info: yR4kNzOkiaasJ0Tw3lh+X3DlBzBCUJS4ZnqB0Jp5tYNjJ95/Uf8l3dsW1HAl7RCD7U2J3p6KIFglS1qU5SKOjWu0ohBruTJ2LYy3daVLiBUgEksJrXdUWXDvXwWr6ajzoUSP85XNgrwIWO/ljH188A2Ro6bf9ebb5cIfMd8DtxgPEu1j+L2+VemuUUQsGPdrjJy5HG8xP5mE6WZiHcfblJwnTdPFa4BmA8T/O3oIK5wg1gYJCIf/dRY7a0AcXrUwiZKEF1n5vHbym45tqUlBTeushBLVVr48dvbW5TkR/U45yivKt/52KcoNhtVlW1r4YV4fm5r6/HlzXdUJpFQlmyfvkoRe6pdQuMcffUf8+mZp+okkYyqi7psfJuwcCIYLxcgxOk7wrfWGPfbMfUUXrQc/xTFjw/zw0BEtFqJExEnsjhbQ0CN1yQVbSgMosXeD/nYGs1OXjDhdl3JulZPNacVoKLAp6ddk2XYu1ooxqlhViRXSt57+0AbBPyzgKKiC0TTziy82xACX8SyIZs8eG+w06rTIXnL4iUekBwknWJYf6t5+mIvcmft/gywOTxQeoOS1CG5OxVru6ltCsmPrDUGn6YJ85Ysz5ToSIzL+8hgIn8Ai7IJyrABMflsjAZASPZzx2e7nNgcDdDhKL69Ux4991J4keADYF12+D4T+Z7qPaDc0bbJufFQoa6g2Y367X9/bCeYyEzosV/q2iQrz+KcmS8aThuGKO9zJ9PwK+0AS7NpPbFg44YdTcxEhmPA0XXX2H5+diOY7q74UJzJzW94VIA74UKJ4tSVDX7Kr25VWAEnIZ7pGI/xtuw35y8iBGUVvHiSTvz4v5xWrFVVUVL6AObdWCOXfzWaLM/6Eip3I2GH7StuMEwOrkK22hvHA4+onP8JAwfVjUl8zm6Bjj272pKfFHNtvV6fv+2h0EOU9EsJkiaBzc4huZzCgFcucOzxoQvO2txp6ol+P/BOdS4P4Kb6TRSuhjrdx2C+JUlNNNOSqsWaGj27uxiLzHNO5W8RyyRxOWmksJe8G+ez0eRHSG7GWStPVNC2fUqhV2toBpa2gTYjlPGcIOaGjs/7OW6VPENuBOxpKceZJHgAfDfC3gDfMkVDXUBVKxXLdr88bP4wnB/E9zVpjwsAXmWsOq2hNDCZ/kJpGp8LHAXN1w1uIJ1cHBCOD41Wmcv9H0dgKmUNify/jwD7ZIZzpYe2gSFhonVLX6Ch1K/3KHM+I/G+AjCX+ypqZEEK+hI5eOSYvRjPdCyfP8ApPFX9pNxIQti03pTt6645PkE8afXhAZYgtwvfRq66R6cEr7AwyZAbe8888QkZ4dP0uOflBvRo1QI343LgxeBGf1f9NoWwdlOI1vkGhDrL6bdoTl+GLXwhUjw37js5jgocsfwNwZ4LUeKno8RGbyxjwJdsXfYxUwQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR02MB5946.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(10070799003);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: tPrz3SCl01RzjOZ8IbIJ3Qhb6c8cixyY7nvmYzoQyhatA3mLlpoxBlIE/eEegfqY/Hf0FLFvstTXZ7P7OTfTN1NA2sE5Jfd/CFC3RFQ8sa2i+CoYK/ME8DYJMMEmb6ZAlMAHjK1mzhgtO4FnF7QWBgK5Pu2HPAfz9SCgK2AFTot0I0J43qEBwMnUa4BskjVu08rI5YfVzQ42sf7pgHoPEnOpElhshoQfYq4WEdLuJZ0GZwcObTF4W0iSp0aO9yfN6qSe2FEf3Uho6rzUcDzqg9kFCEdjR7f1PMzaUmcl8g9rTcyfALVD4tp2wM1XXDN2+1gpH8D41ALDneRVgig+4aT/9QG+Ucz4X3PBKCFhn+RMQlqtMzo24l6ijyV9/ViT1LCCZ+CU0Z+/VcvWqbPvqc7sv4pFRp/9sRZ0nBdRfEgPUrZUCvFeEebxwBu3bLrvGuOeor0hSuxitGT9v9DrPAOI9QMKIK9tdwZjHjjhmacQaMxxaiBxxfgXE8BoKsSPPavraS/gi5eBV8uO5spfWqEW4tpCvzIH45hFtL/0E0JaXejIOJ6ew/NneMEw/MkVnOakwGxqJGA1oxH6cFYIRgVKmsd7aBbcc5G5PF0MJXd3YUPbljNn79KKNYcFvbBhP+Ox3NnvKQdariqVWw9/ZZNBF2aoYeuzAVy6NB0vNIBvKO+Q+4GSLEODcH3uMM0kTMMJnvwUoVn8JasgJHwobu+3St2qsb0FJGmaPGN+1GGdNFl2o8PyABoztQL2/g1SyET4ayWB+WvavFLVlbR4UKClankPhJgb7hr/V3XhwVaBo71lLfrXF1hzQrecemKkkzoiZTUBc6/brvYjH9Z3vn2dsC09y5Wba3mWsDnPAW9grV/nbsrn2UEHcDgdz2NsY/5zrAzBppRX/qnX2H8jFKNTlA5RFfdXmQ8dRpFwUmjZ3eMLLCejoUaULW0Qu3OJVXJ/x3zbygD7lJe/33nvp+/XQTWgIEbM0e/hPzcrQpI4mzWGMvAufFurjz5ZoUGVR7b++lDInTfz9q4ST8GYrow/7hjKi6xwal3Ygv2j8AQLsrruivqz6bbuorOAUTCOrUm3YeZZvEQeRNk3bl4FMvqF1WiaLHz2cejq+juX+H4X/vcAocj+5Fb7gAggqQzMOieuc+z317W6GD+vmu7xT+rX904amDsHQeFzCjC1lwYR8UqfpCGlLprVOTrkXWmYK5QN09Yyqr5EHZfu3AKTgIZx0SkUmeNTzjM0L2tW47Li1McESZBH2RWgxDwwJLllkTUtlk3F1kgTJQgWpQUU5Tq4OTbNySGTqauagsN75HEosWrGoBRTSuLXFk9mgtcI/xmGj9pcASN/AtkIDqi25jlZiuawmNiHmeSi0RuXO0QoaHkzWmfZup6Ft31fAO7NdHlMPJ7PA8CxnNEfwAvFn800bAWf5Mq9VBC/m6olwN6NovetWTdmHsAC4XVW7nAPIxLOUkOhGpN6yQG71QhaIXU1vXJYudBrTQTwtJHY+/O57ZV/o2kz8eunRmaT6caawfb+QObQRoO8FufGZHnZDfpoe4kAfrUs0WwVCK8Ue1FLf+emBwQF84sToK2D4s1KzrxxABfMqnpF4TVd/P/rwFY1eetIqP/UqRgOBmzrxF+5HlHhAbz5XsgWXqqnfoMv
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 53bfe955-3609-459e-898d-08dd7c8b526b
X-MS-Exchange-CrossTenant-AuthSource: DB8PR02MB5946.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2025 02:06:38.3842 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: jzeQc7s1fCkekT4Tx+uLbj0okBzUx2Gmt1tfHui95Pcadt8NDEyz/edfaMlKDtp0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR02MB8863
Message-ID-Hash: JE56LQN74KQD23U6RHQ4B2KORFKA4HNA
X-Message-ID-Hash: JE56LQN74KQD23U6RHQ4B2KORFKA4HNA
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pF95VJnvUH7_hi7UE5C4xIDChJc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hiya,

On 16/04/2025 02:53, Salz, Rich wrote:
> I don’t know of any, especially since NIST has clarified/changed the
> rules so that hybrid key agreement schemes AB are valid for FIPS if
> either A or B is valid, and also if it’s BA. 

Right, that kind of external tweaking/changing, as to what's ok or
not, causes wasted effort, so if we end up dealing with that for N
regulatory situations we may waste a lot of effort. For me, that
argues to not adopt things where the only justification is based on
those kinds of regulation. (As the ISE route is entirely viable.)

> I’ve spoken to many of
> our customers and internally explained things to product architects,
> and nobody has raised any concern. Now of course, I don’t speak to
> everyone, and Akamai has fewer customers than many of those involved
> here; perhaps they can say something.

> Suppose the payment card industry standards (PCI-DSS) says they want
> all terminals to move to PQ, and in particular MLKEM. Would that
> bother you?

Well, you know I'm easily bothered:-)

If "move to PQ" meant no hybrid stuff for TLS, I'd really wonder why.

Cheers,
S.

v2.30.2 | Report a Bug | By Email | System Status