[TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
Nico Williams <nico@cryptonector.com> Tue, 15 April 2025 22:47 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DD7341C9A7CC for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 15:47:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89L-FXYrtcR5 for <tls@mail2.ietf.org>; Tue, 15 Apr 2025 15:47:32 -0700 (PDT)
Received: from fly.ash.relay.mailchannels.net (fly.ash.relay.mailchannels.net [23.83.222.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 50C2B1C9A79D for <tls@ietf.org>; Tue, 15 Apr 2025 15:47:31 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id B2DF281605; Tue, 15 Apr 2025 22:47:28 +0000 (UTC)
Received: from pdx1-sub0-mail-a228.dreamhost.com (trex-1.trex.outbound.svc.cluster.local [100.101.172.71]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 29D9A8133D; Tue, 15 Apr 2025 22:47:28 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1744757248; a=rsa-sha256; cv=none; b=8qTKBY9Wq5bwx7Nz6LalJRNgSinKZ9+O5R1/Xxygy2Q2TojUM5qReQmyjP+gnR+yLzxKf8 4UNStigfeswFF++y5/1N8z/IC2JGT7fUYPU/FIOs52P1wSNei7swhPXqN895mh4FTvhm/C cwAeX3LdtSXBT1C89R5H/C2zYjKcylQHe+wP50SisqPA2m3hGM2UQ2arWuuUnduzTvnrmd qY9bDMGgZWoIl/dMbMNtKxrhKNSPhASAlN9K7SO8pu16TZpBlcGRJVkhgSzi2AZFX+EAMO vk30jB81cc375aRhvzJtr5qghIKg0+Z+xuZ8yoRkMijbc2usxupghkn8IIJEng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1744757248; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fc2CXAO5w8OT1DBf3yN9tuegtqLdo9ZZBALkRoX3g7Y=; b=ljFz9dHbEGJXwv3kTrzfteQjCEXyP6f9lFvhG5/vrgl2xuIM5JLE8hBCdOp0z2x+nuZVyT QW64jXinLiSVMlY98OXTwThfB5OBYgZW0d9oQnENGeuQ5uZ28tRcBQuNZPaIMDQsYOzp7M FZzRj9udRk5+9kbruqacfI4DtbkgBmokYuQom34vRaSB7/oj/bF4AJstUS5g6SL8F7glBW mHnRNRrnU5hIUiLSOiZWzhPoq1mIiTaZGMAOQR2PiPhTd4Zo1K0UeAUF976Dh27aGi93jt WO4D7bF8ZZzwZ9p6FxBcv8zSpy6/VBYImGTGTVnbaK3vETlHh7iETgk1Uvo3ag==
ARC-Authentication-Results: i=1; rspamd-66f96cc86b-stj78; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Industry-Unite: 46fbf39e6308bc73_1744757248388_3898278380
X-MC-Loop-Signature: 1744757248388:269959512
X-MC-Ingress-Time: 1744757248387
Received: from pdx1-sub0-mail-a228.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.101.172.71 (trex/7.0.3); Tue, 15 Apr 2025 22:47:28 +0000
Received: from ubby (syn-075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a228.dreamhost.com (Postfix) with ESMTPSA id 4ZcfRz5KkRz92; Tue, 15 Apr 2025 15:47:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1744757248; bh=fc2CXAO5w8OT1DBf3yN9tuegtqLdo9ZZBALkRoX3g7Y=; h=Date:From:To:Subject:Content-Type; b=QJ38rAO8D9kbHp/i7GVsuimjH8lGrNYuLmX0xGVMbD1B0ajM5pO/SKfeXIWnGNTaf G1OWojj6mwZ7uHEPRTogfG7AfwdxPUJJpNL0WJsrCrpQORk1sduFnao3kv/GWfUeN9 U1D7ucTNi7JL5Gz2qeQiPynzJz/s0K6gUZTwFJHV2hV//umI94ITDiuVUSZuUqCj6R PfSgGEjN7m5QGnRTKwUP6PJ+Azh2/a0heOrFQpvwZL8rZQAsWOi/p2RLIss87dNhNv 45YjcKgX6t366xDA3vgpHSZ2gOd8oWT8qXTW4RF9HzA3LdU8QNb1eLPgD30Q0/Y1Xx q5nFz4TxQfmWg==
Date: Tue, 15 Apr 2025 17:47:25 -0500
From: Nico Williams <nico@cryptonector.com>
To: tls@ietf.org
Message-ID: <Z/7h/bxFMbla019t@ubby>
References: <Z/7TgGIkmvV2fdAk@ubby> <20250415223323.237945.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20250415223323.237945.qmail@cr.yp.to>
Message-ID-Hash: D3W75EXFE3GDNN47JE5A2CSYYKIN6VTH
X-Message-ID-Hash: D3W75EXFE3GDNN47JE5A2CSYYKIN6VTH
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM Post-Quantum Key Agreement for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tLCzbjetxlFmlEnS2m_B5mGvXDs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Tue, Apr 15, 2025 at 10:33:23PM -0000, D. J. Bernstein wrote:
> Nico Williams writes:
> > there were no objections with technical reasons that were fatal to the
> > work in question
>
> I disagree. For example, the draft's regression from ECC+PQ to just PQ
> is certainly a technology issue; and this is fatal, as a contravention
> of the "improve security" goal in the WG charter.
That is more of a policy question. Does the WG want to allow pure-PQ,
yes or no?
Certainly the policy question could be fatal to this I-D if the WG were
against non-hybrid PQ. But it's not a fatal flaw in the sense of "it
could never work because you forgot about the retroencabulator
frobulating the PQ switch, which encramflobs the whole thing", which is
what I had in mind for "technical reasons".
Your objection seems to be of the "we think the retroencabulator for PQ
may fail", not "it's broken now", which is fair, but it's hard to figure
out what the likelihood of that is. Framing this as a policy question
means not having to think too much about the likelihood of ML-KEM
falling to cryptanalysis.
The WG should decide the policy question before deciding to work on this
or any other non-hybrid.
> The draft might be able to escape this if it were serving other goals in
> the charter, but it's not as if the draft lays out a case for that. The
> draft says non-hybrids are important for users who demand non-hybrids;
> this is a circular argument. To the extent that this is an allusion to
> NSA purchasing, it violates BCP 188 ("IETF Will Work to Mitigate
> Pervasive Monitoring").
It might be fine to adopt this only for publication as Experimental.
Adopting this I-D before deciding the policy question and the related
which-track question seems wrong to me -- possibly an end-run around the
[predictable, earlier?] objections.
> > The policy question, if called, could in principle lead to the IETF
> > asking the ISE not to publish this work.
>
> Here I agree, and I think this would be a good way forward.
It's really just a policy question. That should be decided before the
adoption question.
Nico
--
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… John Mattsson
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Thom Wiggers
- [TLS] WG Adoption Call for ML-KEM Post-Quantum Ke… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Russ Housley
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rebecca Guthrie
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaroslav Rosomakho
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sun Shuzhou
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Martin Thomson
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Yaakov Stein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Kris Kwiatkowski
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Jan Schaumann
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Filippo Valsorda
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Deirdre Connolly
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Alicja Kario
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… tirumal reddy
- [TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Yaakov Stein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Joseph Birr-Pixton
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
- [TLS] Boring cryptography, and the opposite extre… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXTERNAL] Re: WG Adoption Call for ML-… Andrei Popov
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Scott Fluhrer (sfluhrer)
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: Boring cryptography, and the opposite e… D. J. Bernstein
- [TLS] Re: Boring cryptography, and the opposite e… Bas Westerbaan
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Quynh Dang
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Andrey Jivsov
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Benjamin Kaduk
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… David Adrian
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Flo D
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bas Westerbaan
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Viktor Dukhovni
- [TLS] Re: [EXT] Re: Boring cryptography, and the … Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Stephen Farrell
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Rob Sayre
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Nico Williams
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Paul Wouters
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Bellebaum, Thomas
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Loganaden Velvindron
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Stephen Farrell
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Andrei Popov
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Rob Sayre
- [TLS] Re: [EXTERNAL] Re: [EXT] Re: WG Adoption Ca… Deirdre Connolly
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Benjamin Kaduk
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Nico Williams
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Salz, Rich
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Loganaden Velvindron
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… D. J. Bernstein
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… Sean Turner
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Watson Ladd
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… Andrey Jivsov
- [TLS] Re: [EXT] Re: WG Adoption Call for ML-KEM P… S Moonesamy
- [TLS] Re: WG Adoption Call for ML-KEM Post-Quantu… S Moonesamy