IETF Logo Mail Archive

[TLS] Re: LS on the work item related to QKD and TLS integration framework in SG13

Arnaud Taddei <arnaud.taddei@broadcom.com> Mon, 23 March 2026 20:46 UTC

Return-Path: <arnaud.taddei@broadcom.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2B74AD032B0A for <tls@mail2.ietf.org>; Mon, 23 Mar 2026 13:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FB7ZKyPsq3SJ for <tls@mail2.ietf.org>; Mon, 23 Mar 2026 13:46:10 -0700 (PDT)
Received: from mail-qv1-xf63.google.com (mail-qv1-xf63.google.com [IPv6:2607:f8b0:4864:20::f63]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 32D5BD032AFF for <tls@ietf.org>; Mon, 23 Mar 2026 13:46:10 -0700 (PDT)
Received: by mail-qv1-xf63.google.com with SMTP id 6a1803df08f44-899a5db525cso4174226d6.3 for <tls@ietf.org>; Mon, 23 Mar 2026 13:46:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774298764; x=1774903564; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=g89dlzf21XoRI/948FNcHqejRXjeXD0ywp5FrtMH7GA=; b=eBqup4aMV50XBo7rOAxMSVBgaJmJuXgorRTIn6h8WkNP0Ure2YsMO/WK7zSdX5OIOA IyNKPIYu3AwwTfXWcfY7zcYJwlb3x3tKy5KecgFgQPb82M3J2efmlzAxV4Ery14t7yFS 7mR9cUL1oVphI0RoBTKsXzapJ5iuiV4NqvJay6zVefvSXPNBvpT60D+22ijX2xewlZ+D 2Vwv6iGr3gKS7B3T3JWTv20OYF8ly1m1+D+3g2Kp9On8tK1+sVQgbVjEnWnDNqS4aE/n ywqnOrcIR1hIy89NyuYtQaRHw14M0dN8ecu861NTwL3Go2o1uDG3Tz6aq+pzEc8hzTXV UI4A==
X-Forwarded-Encrypted: i=1; AJvYcCWWXjgHX7t119ZQ/3Sf79vfxdKWAi5EEMWK0a8Vtn5QxCtOpkQQ+Cz/Xc8CfgwmXwHul/Y=@ietf.org
X-Gm-Message-State: AOJu0YxRCK9BTjDxMP1y1jTt+5VWbSLK9eGRBK6dI55sfjpbwAC4yfes Is992Wqd5CBDvtSeNc+uouM3qKfO0FcijwtAgf+6CsIJB6fWxtoMWl6sCt8M8XncI7aqfXkDCaJ dz6RM+VxJxwHkPWiohZ+DjEFXBYtwwVtHnbV7QYDQAUWX3FErLrxDNgkuDYuphuYdc6zUEBkMtP 0Kv7OVT56peG2WGAmFwxjxJV71XUDvd0qXCU1xGue6jWdAVZfRwHN2EilX4sY9tsaYYLH6WwU=
X-Gm-Gg: ATEYQzwZ9g+gcj0mVmiDsmyaqgCO4XkA3wozxl+5PKK0aZYHvBgQUYOg3lns+AFWPlI 45HnykOmSxIITnU4t2adEyW46wSb6NM3r7QV+fDsWE4A17KzAql8b/oPfp6JJBzIF+PXoQQnhQu HdqhFdcz78wJsemJQgk1ELa2R15YOKCXoJyZ81uler4nbNymVHa4wsZ/5UN/BC98PCFN/DD3+MB AzOZ+qOhAkqDv/M7Cspq1T5upcSmx+VZ5WrbcHgHWvKwLZs+M+YX/V6+Vw9+r3W26IaR4ZWUwhx kpx5u2DFYYhg+kMlFc9mYuzsJ9TPODVfSzyLQouKOeGQHifVJKq60uVjvIIQzz+1vI6J0gw7Z/v ZoEsZj6o7fRUZwKaxItQGfuPlNdB+raksFnpWc0DFli634Fzq+hylqaHt72JtEo0dVbQAHPOWZO VVnWbLYAaLHpRadp/yrCiP2M42X7nCyPl0OJBxNZq4u5g7IPoFEV7OiDBcJPAo
X-Received: by 2002:a05:6214:c4c:b0:89c:44f9:e879 with SMTP id 6a1803df08f44-89c85ac7a0dmr223241986d6.49.1774298763948; Mon, 23 Mar 2026 13:46:03 -0700 (PDT)
Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-117.dlp.protect.broadcom.com. [144.49.247.117]) by smtp-relay.gmail.com with ESMTPS id 6a1803df08f44-89c8520b187sm10670036d6.3.2026.03.23.13.46.03 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Mar 2026 13:46:03 -0700 (PDT)
X-Relaying-Domain: broadcom.com
X-CFilter-Loop: Reflected
Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-43b3e6eb998so3488828f8f.3 for <tls@ietf.org>; Mon, 23 Mar 2026 13:46:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1774298762; x=1774903562; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=g89dlzf21XoRI/948FNcHqejRXjeXD0ywp5FrtMH7GA=; b=iKIZVKwjVCv/6Gn8LJVlpJ1dXp7krsCzUuEsjRnavYBnT73G9VpZ8IBgg3j4xiknuV Vjxb7UqfscE3YnhIilOvd+WuSvbehd7pl2jvn8estCdBeplKvoE9JllPXpPEsUtfrvzg iWWi+xNaVk03+mDLMayFuB8U/rY9DihT0+jWo=
X-Forwarded-Encrypted: i=1; AJvYcCX8DtM5Mc/3pl3u5W26egSDjOoE2+39uVjZDgTISv+w337zFGXSs6O7IKmZx02Aa0UycWY=@ietf.org
X-Received: by 2002:a05:6000:2389:b0:43b:3a65:8c9d with SMTP id ffacd0b85a97d-43b6423b77emr20838585f8f.19.1774298762096; Mon, 23 Mar 2026 13:46:02 -0700 (PDT)
X-Received: by 2002:a05:6000:2389:b0:43b:3a65:8c9d with SMTP id ffacd0b85a97d-43b6423b77emr20838552f8f.19.1774298761414; Mon, 23 Mar 2026 13:46:01 -0700 (PDT)
Received: from smtpclient.apple (88-178-226-238.subs.proxad.net. [88.178.226.238]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43b644bdaf8sm37505006f8f.13.2026.03.23.13.45.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Mar 2026 13:46:00 -0700 (PDT)
From: Arnaud Taddei <arnaud.taddei@broadcom.com>
Message-Id: <E11F495D-0C58-4B9C-842F-77286EE87535@broadcom.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BC6D90D4-22EA-4A57-8D7C-A49198DD91E9"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.21\))
Date: Mon, 23 Mar 2026 21:45:49 +0100
In-Reply-To: <7af7d6f2-e53a-40f3-863a-4afaaf574a9a@tu-dresden.de>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
References: <AS5PR07MB10596F6F561F755EDBABFEC35894CA@AS5PR07MB10596.eurprd07.prod.outlook.com> <7af7d6f2-e53a-40f3-863a-4afaaf574a9a@tu-dresden.de>
X-Mailer: Apple Mail (2.3864.400.21)
X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e
Message-ID-Hash: D5ENQULGQFZASCXRC6PDY6QJS3ALGYZL
X-Message-ID-Hash: D5ENQULGQFZASCXRC6PDY6QJS3ALGYZL
X-MailFrom: arnaud.taddei@broadcom.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, tls@ietf.org, Scott Mansfield <scott.mansfield@ericsson.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: LS on the work item related to QKD and TLS integration framework in SG13
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uBipjsoC8Sek6DmSrYwFfFaQ5d8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Thank you Usama, bruh! Where to start in this thread. 

1) to QKD or not to QKD, I am not going to in too many details now from what I can read because that would be a dozen of pages 
1a) I was the one who gave a home to SG17 to the QKD side in 2018 as part of the first steps of the nascent SG17 incubation mechanism  <https://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-ICTSS-2024-1-PDF-E.pdf>
1b) and I did it despite the fact that I could have been vengeful given what I saw and suffered when I started at CERN in 1993: the hatred between physicists and mathematician. 
If Pete Resnick would have been here he would have been busy 24/24. 
No luck for me I was coming from the Russian Academy of Sciences in Moscow in social mathematics (funny how this is coming back now in other contexts!). 
And I was rapidly told and learned the hard way to HIDE that I was coming from the mathematics side.

1c) Anyways, all to say that I am frankly tired to see this battle. 
QKD is resolving a very specific problem in a very specific context: 
QKD is only responsible for generating symmetric cryptographic keys
The NCSC has published several documents on QKD (see Quantum networking technologies | National Cyber Security Centre - NCSC.GOV.UK <https://www.google.com/url?q=https://www.ncsc.gov.uk/whitepaper/quantum-networking-technologies&source=gmail-imap&ust=1774884450000000&usg=AOvVaw2YF1VsFquKJp98dgbMOuJI>), and these documents recommend that QKD be implemented together with quantum-resistant authentication mechanisms.

Saying that there is no market behind it is wrong, but this market is small and will stay small for a long time. 
The Chinese launched their Quantum satelite in 2016 that means that they must have convinced the Communist Party probably in the 90s. 
Whilst spatial links work with as long distance as the laser can do, it is not the case for terrestrial 
and I agree that the concept of the trusted node is a patch. 
On terrestrial QKD can only move to another level when physics relays are industrial class and I didn’t look in it in the last few years but when I realized what it needs to happen on the physics side and the astuces that the physicists were at, it left me speechless. I doubt this is the case still today. 
I had the chance to be invited in China to see the Chine NOC from satelite to terrestrial from Beijing to Shanghai … all the nodes working.
In the meantime the Chinese have as well now 6m users on their QKD solutions.
It is not just China and I know for a fact other countries and and for some cases a number of armies working on it and if you would know which ones everybody would be VERY surprised on this thread. 
Around me in Geneva nearly all the banks have QKD p2p links since perhaps 15 years and happy with it, with no trusted relays because they are beyond the 60/80km to connect their data centers. 
I don’t know how many satellites programs are in preparation but this is mushrooming and with BIG names of the industry behind
More importantly I spoke to a 1st tier financial institution recently and a critical one that of course needs PQC readiness but wants TOO, QKD solutions. I have other use cases I cannot speak about.

MY CONCLUSION: 
1) I don’t like mono culture and mono solutions in security simply because by metaphor Mother Nature is not working like this and allows many ways to defend. I see defense like in biology where you can find multiple solutions to defend. Some are more or less mature at that’s ok. In the long run ’natural selection’ will tell us. But destroying one solution because some are on a dogmatic line to do so? No
2) It is frankly humanly speaking harassing for the QKD side to be constantly beaten up by some of the PQC side and even worse when it is coming from some governments. I find it painful, unkind, a frankly in todays world I don’t even see the point.

As SG17 chair I took a very balanced and neutral view (no different than on anything btw) between PQC and QKD which are respectively in Q11 and Q15. For Q15 they even have the hybrid PQC/QKD work too 


2) coming back to the problem of this LS

a) reading the work item, to be totally transparent I don’t understand what it does in SG13 but that is now an internal ITU-T issue
b) yet this tells me that at this stage this work item is trying to show a solution which is too generic and would require a lot of contextutalisation
c) the context of the work item of Q13 and its LS to TLS working group is that TLS working group “should” answer it, in fact “must” from my point of view
d) the answer should stay neutral and to the facts, I personally like the fixes on section 10.1 and on Appendix 1 proposed by Viktor 

The real questions that come to mind could be on the line (and thanks for Q15/17 team to help me here)
A) is this work item Y.QKD-TLS trying to extend the application domain of QKD to a general-purpose internet security frameworks? Is this meaningful?
B) what additional considerations (primarily from a security perspective are required? 
C) how such discussions should be coordinated with the IETF and IRTF QIRG?

So if I restart from John’s first draft (thanks John) and consider all the inputs I would go with something in the line of a new beginning and and a new end. In fact points 2 and 3 from John look good to me given all the discussions on this thread.

-----------

The IETF TLS working group reviewed LS2141 <https://datatracker.ietf.org/liaison/2141/> and expressed several concerns regarding Y.QKD-TLS.
1) the application domain of ITU-T Y.QKD-TLS seems to propose a general purpose internet security solution that goes way beyond the scope of QKD solutions. This work item should be recontextualised back to the QKD scope and limits.
2) The solution in ITU-T Y.QKD-TL would not enhance the security of TLS; it would severely weaken it. ITU-T should recommend migration to hybrid key exchange mechanisms such as X25519MLKEM768, which have already seen significant deployment.
https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
https://radar.cloudflare.com/post-quantum
Potentially add Viktor’s old/new here in 10.1 + Usama + etc.
3) In appendix I, the use of psk_ke symmetric key distribution significantly weakens the security of TLS by removing asymmetric cryptographic algorithms for key exchange and authentication. The psk_ke mode was designed for constrained IoT environments, is disabled in many TLS libraries, and is not suitable for high-security use cases such as critical infrastructure. If PSK-based solutions for quantum resistance are used, they should follow RFC 8773 (and its revision, 8773bis), which retains both certificate-based authentication and ephemeral key exchange. This ensures that security is not weakened by the introduction of PSK-based mechanisms for quantum resistance.
https://www.rfc-editor.org/rfc/rfc8773.html
https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis/
4) The IETF TLS working group understanding of ITU-T entities is that such security issues should be coordinated by ITU-T SG17 (Security and Trust) and IRTF QIRG.

----------

Hope this helps

Best Regards



> On 22 Mar 2026, at 06:24, Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> wrote:
> 
> Hi,
> 
> Speaking as member of ITU-T (in SG17; not the one initiating this LS), I want to thank John for initiating a draft response, which I believe is right on spot. Our chair, Arnaud, has kindly offered to do a review but I am aware that he has quite some meetings and travel in the next 2 weeks. So I am giving some quick feedback in the mean time. While I don't find anything "inflammatory" in it (as someone has suggested), it's fine to make a few editorial changes but make sure the core message is not lost in these changes. Please remove RFC8773 and use only RFC8773bis. The reason is that proposal [0] in RFC8773 is fully inconsistent with the key schedule of TLS 1.3, since the very first key (Early Secret) is derived in a wrong way and thus all subsequent secrets are wrong too. Technical reasoning is in [1].
> 
> Speaking as member of TLS WG:
> 
> I disagree with Ekr. I believe TLS WG is the right place for this LS and TLS WG has the right expertise as RFC8773bis is indeed a WG item of this WG.
> 
> I disagree with Viktor with his mention of KEMs for RFC8446. That's not correct. RFC8446 explicitly mentions (EC)DHE and never mentions KEMs.
> 
> I completely agree with Stephen to not say anything about pure ML-KEM to avoid that controversy here. Let's have a peaceful weekend without pure ML-KEM thingy. 🙂
> 
> Sincerely,
> 
> -Usama
> 
> [0] https://www.rfc-editor.org/rfc/rfc8773.html#section-7-14 <https://www.google.com/url?q=https://www.rfc-editor.org/rfc/rfc8773.html%23section-7-14&source=gmail-imap&ust=1774761947000000&usg=AOvVaw1uB3v8qilnw9DsiXnfN6N8>
> [1] https://mailarchive.ietf.org/arch/msg/tls/6Wk82oBGd61rTK23DgfYb7BmRKM/ <https://www.google.com/url?q=https://mailarchive.ietf.org/arch/msg/tls/6Wk82oBGd61rTK23DgfYb7BmRKM/&source=gmail-imap&ust=1774761947000000&usg=AOvVaw1-FXl2nYEt3ziU4g9_Y2_o>
> 
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status