IETF Logo Mail Archive

[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

Yaakov Stein <ystein@allot.com> Sun, 09 November 2025 09:14 UTC

Return-Path: <ystein@allot.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5FA758668EB4 for <tls@mail2.ietf.org>; Sun, 9 Nov 2025 01:14:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=allot.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jkgFceQK9-TV for <tls@mail2.ietf.org>; Sun, 9 Nov 2025 01:14:43 -0800 (PST)
Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazon11023095.outbound.protection.outlook.com [40.107.159.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BF5488668EAC for <tls@ietf.org>; Sun, 9 Nov 2025 01:14:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pV/g63BBuTYf5NznA0LD/gI8ZL7ouvc9XIrQcvWY53XHW18p7lFslZm0F7fWW1JXKF2pv3A3S39/seEph3S0T8+DguHWKpjqldlp2wDVYxLbVUXD7w0gmqvFz+eWU2wDlPyDloTPDDJHlbQODGfc1gqC9Xi67OElCIEf5JJav8wEW6vPuearYQtIuFuQFOkT+wl175KbDZdmVEGXvFdDXyZDdMgsj8EyyhLuqzEr2WgpkTwljTH+JVxG9c8zZCeYqX4O+O5Ew0FzN7KtTiMrjOYgigm4cy4YEv5hEyBz1xgQG1CQP4TIQYNsjvAGgugF9MWsQsYiDHhx9GDekQrrXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ih+rkocgF/0eNkuFr+2jVvTTCLoizj2LereILZTlMiU=; b=r4q4wWeUQam+yh8RgemHKGpxBWcLRvouhK8QgQSjv1w1UgObqCs5z+lXkdfk4G60izpkqxMZxpfgCQpbKTDT70uJAO0OCYN/D7NgXWYEYY5QJwL+dEAwlDmMU+sVfr3oc9svcIxdcz2l0BTRNQsV6Fv0sFB5GCfFWVshxyX4zDxHIg7yTUvccmtTTUCo0xZf5JwDCi5i9Lu02X/9jlsK+RKGh3ARkntOgGUZ/VQMDKanmGlINiuo0cM5IDzusiXa7Lq/pgxaxGvYG1E5a22e4Z2MaTCJL52dYRytnUGrK3V5/hVzQ3Gb7CC4f9kdoKnl1AqeKKbw/6ezE5wuPeAtkw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=allot.com; dmarc=pass action=none header.from=allot.com; dkim=pass header.d=allot.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allot.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ih+rkocgF/0eNkuFr+2jVvTTCLoizj2LereILZTlMiU=; b=Cdl5ERKY7sZA/Q1L8ffCf+kX12qGRK3l342TFJcvxI301Xg4BZYhuzT+Lty53no5uCxOwqCGheLU7iL/vuRiUW1QoFANqkmpsqZIn/op0XhELmL3vdtsc0yEe7GCv71hxMv6eet76ZRPpr+AqNi/DDhLq/bRq1SbXhVeLoli/1s=
Received: from PA6PR08MB10707.eurprd08.prod.outlook.com (2603:10a6:102:3cb::5) by VE1PR08MB5856.eurprd08.prod.outlook.com (2603:10a6:800:1ab::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9298.16; Sun, 9 Nov 2025 09:14:33 +0000
Received: from PA6PR08MB10707.eurprd08.prod.outlook.com ([fe80::ff02:9799:b729:ae6a]) by PA6PR08MB10707.eurprd08.prod.outlook.com ([fe80::ff02:9799:b729:ae6a%4]) with mapi id 15.20.9298.015; Sun, 9 Nov 2025 09:14:31 +0000
From: Yaakov Stein <ystein@allot.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
Thread-Index: AQHcUVlByLBoueyhPEOKrB1tPAmhwQ==
Date: Sun, 09 Nov 2025 09:14:31 +0000
Message-ID: <PA6PR08MB10707F4F72CF0C9141B00864CD3C1A@PA6PR08MB10707.eurprd08.prod.outlook.com>
References: <176236867319.904123.10146982018394612684@dt-datatracker-5df8666cb-7l4w5>
In-Reply-To: <176236867319.904123.10146982018394612684@dt-datatracker-5df8666cb-7l4w5>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=allot.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PA6PR08MB10707:EE_|VE1PR08MB5856:EE_
x-ms-office365-filtering-correlation-id: 66784c73-b359-47f0-50ed-08de1f70646f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|10070799003|1800799024|4022899009|366016|38070700021|7053199007;
x-microsoft-antispam-message-info: PqcNsUo5INSbAQMqWfctBSt706RS41Dt0aP+iva9qr590At9u9UEl3dTwyujVyaVy0iRkEKEA33c1IgBYurQ1DfwZ1jqYf3Kifqlje5Z1tyZZ6OvBco7rogNf+ZAl5fcIxs4208v/vS2SlLR8+gII0w/Oib6pXy6f9dY+aZxM6ndhAXoZPxY22GjrbC/IDKgru+bAePTbO0HdM6S3V6Gr8EoE5VqAxUZol2XUiPrMkOp2fLhMKd9eU5OS+IBc2+VQhjhr1siNgJt6TzYFVPPCp85lvWuay8vEqYgnITDEJ647iH3Of8mSOb+yao2zmZAXw7i+0Y53e831iwKd4UTy/dJg4N0sqH91KNDBbH6hMw4CLWyN0CMda+VMvxQylCM6iCdIwNq8bB6Oh7EonujoX5oEpue//Zn5dxsM5xuuQTF2mURXLjV6V/btm4d3Y2TJnHYLaO97rSlCSFACxwgaA3KpdVjeuSr3hCg8EMrPmkCLjjgNBx8Cw6LmRsx9fGpOSqLpIpFWasIK53aOIYX5VYz5CWB6c+x38WQxzzNhzEOflOGHMCwLyT4Lwuex44IbVvKB2rKc6mIRP1/zFkyjLe39Sy21qFQL5YbQzn4Nci1FFjNqKfAN7R58JcdwcdQnUic1EoELhGjDH03cLobxyngmU/kztaOKMQch78J7WJ6JFdGs2gu7Xb80hmnAvv2IHZGnUs0Xa8RlWk3a7C79w76fv60thpleJPGNDnHzYHdLwAYdM0NInnufd6uQDGQM2Nb8e+cXcJIuYtk0C91odZ2WXE7pUIsjGiDM6AOL2Lipil3cIDmkO/6l68csLbpWbf1C5JDz/kRECk0BOs51D1Mhw6jRKPE9DsYK7uHsog1tw4+AyY/WvFjBb2dady5NUm0vXSb/IQiE1KjxTnCrSTU0zx85kAsF11XYAmbAsK3/sG0oE67CQie4rGa3gObU5HqJ0Piyo07vtL9kjtXRPP05HqC++72c8sYP2KkCr16f1SZC4vBpOCF7u8OQaFFX+xVxQ5Su1YW+DarKIC7qh8lV5gH3rabsmJCvmrdwylq3et9DtFuwVLhsNBLFwICcW2mjtNVeKeatP2vQkpuFffSme1cSHL07oqjykJUogpPVXuNqRNm3vBXBWee80PGC7Mz/BoI+zyQLkfsciF4Ji7+tsDqUERRxELU/ZEvlixLX3jUZO/1Pf4MHUTHtId3I3VIF1o0zY7ZWn1oB4caqQt53otMxf+sanA4pMS8d1i9o2UPOYAOD2dKobSx9kPCRG+0ScrARc4VxDz6PYKa9ipLmCWeW/W3fJBkR2RoPGlW8NhhgncilIeuORojzWacBbwcTZ3L01es+eqwpM/p9BGMMu/5UWSZoP9UL/9+06D7jmCigN0mJW7A2nH9GNM6hhxzLQibOJqEBvG5RZyJzeIr5ySPi2/YbMyP0sgHzvTxaK33BG9ITLSv4NWKyHH+se+NLidSWFeuvGm746ilpBquwVtqCDgN9BwLUu2IPN5qGwoOu9HH5Y8xEu0ggSvb
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA6PR08MB10707.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(10070799003)(1800799024)(4022899009)(366016)(38070700021)(7053199007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uEKZuKQQxeDBla4KWzHJ8jtlrt8OrsJgq9m+05hc+JREZK6lIC4Qga4AKVNz6jyJ8tFagtlRM6dJQOVFmrbOD1goH5Rg/jgDlg8ro5Gdl9d4s98qeswOGTcnmxjVP/recPr06UTMm0fqLxKr7F2h+A/ObZ2mt+G1sVVnPTzOqRVjRb17YHH5QKX3010zN0LUfMrf6QRuEdAO6ykTW8ORlv+W3mBE2esQiMqVVtklMhdC52c/irT+WEYfu5q1mzlGwWV67QZT28DfUfhHVlB9B+pummrtBwFUfQF/R+nQ3Ir+ta4wDuAKgfB9AZapnL+ST9LAV1o0+lRacrR/0WgEosXqzbGgDpwuGgEQmLkb3H/KBA+TJ5UNj0huPZSOaAfH2Sy/NcTtC1XAm0W77QMG63I+BXzUdZ+AaTdJ+W7mjOEdxcHS8ry3MhXnFLODmI/bmX3ylTEQmk/mDiikL/FCQhcy3djKYLkPK60jGjrz6vi+5Q+nVPEavu/vlzrq8uIXsc1ml2wNhlVUSEkx9sYVM7pjHnv79BxAtv5W8LSoRaFVIJf+x5EUEjTvyeDkPOi2n7wLXqE4jD09+oJTuWUFnL3sQRWZCoDcbgM7JSaSE3fy12hP/h2accgrncjdNXwpHyJF45vI5CLR14nDG5Sro1bpYDD9oZwxqAzBqP4K5xrzhyTb9xjz5jMKdlsq6z03YGQYMtZ+hJkjYvs942OEyFIf6RzB0V3p+Txja073l1DTrr4Mev9k9gN9BLsjZ1QkF45MF26H8yyIO9hlmmy89CpqiIClWKFOS1DoMt7yQ6vBJFAdqHfvohB3FX6+Ftvpa1t6qTG+6OoUbpiknB7KReXMnmMdMZqLlMPVs+XgWoQf0xC0dI5Jttu4Z3IBhyQ2REtjCTettgeqbVbkvbgCMCblzeJkC2SWe+peIiipI9OXak23mj/xjckY72i31s72ntfVJxLA5bIE04PRbLi0NB20l0TPuL0rC4FQgZamHASnjXdZsksAVyMsYMKW+uWb9kK8vWczk5kYC76GBc0ySjoiEt+B/SPsw4FRgzXv5h4StLyqv5wms3rFOAx1tavF2x8Fr+jCtLozgpb//nKWh9gd0xMHNXwfLQPZfofRFOXhCryNBvKXE7/iiSOhDP45WDt1hncS0YZCyANiBYPBSuIChgeqjf0i8SIjYn/pIfa7Z6v2BYhro+SLhCX46QgTMcxAPPAfAutZ47LZZ0+dIbBwobH9sJniddRmRIscfuo/TXnGZlyuDJQ2o3LO4N74GzBCvM07L8IdLbYCtXj6HplzQx4FdCDYh/2xfaR+3fK3dqU6GHskSwFKbJA8k56cZkPQWseCtF6ffuXY5IuLL/M/JBfNj6cIHyx1bHZAnJWidol0tYlFydGeHw4hseSN+Oc5aBV7ri6xhiZwXSPxwgE5qN75Up2wk9uSnRwNxO/pfePXWKFewz76Tdxtx5NQyN+Htst79aAm5QH/qJlhH9GMzTE5rxjamsvsQ1rk77nlryueCjOCucE3SN7ApRW/IzgYFJfW5TXUg9uoCOZqV6f3UuWtF8rKF5BUupn3E9M0ieB8fs83AyAWDgTJ2L/eZavWpEkEZgzVa+JaFXoJqqtRA5h1k69Hm6en0RdZoCM=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: allot.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PA6PR08MB10707.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 66784c73-b359-47f0-50ed-08de1f70646f
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2025 09:14:31.4977 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 789e5ff8-0396-414e-803b-13a424e9f5d2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GrF9LxxkSSb3v63szPO+hseCUVbaRs2jQbPo7y187xK3B8mnNDOKSSZZlxiR6FguvpobNx9TCjLoxsw5uSVj0g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB5856
Message-ID-Hash: DJ6KLKREGTDNXN75FJ2CDIMZUEY3QVRG
X-Message-ID-Hash: DJ6KLKREGTDNXN75FJ2CDIMZUEY3QVRG
X-MailFrom: ystein@allot.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wL7ruggLRXbW2YjaI4RbQ_7BLDY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

In general, I support with the "N" for all three entries.

However, I would like to mention an issue.
The very fact that these are in the registry (and they are already there!)
may entice developers of constrained devices to prefer, say, MLKEM512
due to its being lighter than standalone X25519, and MUCH lighter than the hybrid mode.

Such devices are the most exposed to side-channel attacks,
and often not readily updated once deployed even if a sufficiently efficient LWE attack is found.

Y(J)S

-----Original Message-----
From: Sean Turner via Datatracker <noreply@ietf.org>
Sent: Wednesday, November 5, 2025 8:51 PM
To: draft-ietf-tls-mlkem@ietf.org; tls-chairs@ietf.org; tls@ietf.org
Subject: [TLS] WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

External Email: Be cautious do not click links or open attachments unless you recognize the sender and know the content is safe

Subject: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2025-11-26)

This message starts a 3-week WG Last Call for this document.

Abstract:
   This memo defines ML-KEM-512, ML-KEM-768, and ML-KEM-1024 as
   NamedGroups and and registers IANA values in the TLS Supported Groups
   registry for use in TLS 1.3 to achieve post-quantum (PQ) key
   establishment.

File can be retrieved from:
https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/

Please review and indicate your support or objection to proceed with the publication of this document by replying to this email keeping tls@ietf.org in copy. Objections should be motivated and suggestions to resolve them are highly appreciated.

Authors, and WG participants in general, are reminded again of the Intellectual Property Rights (IPR) disclosure obligations described in BCP 79 [1]. Appropriate IPR disclosures required for full conformance with the provisions of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any. Sanctions available for application to violators of IETF IPR Policy can be found at [3].

Thank you.

[1] https://datatracker.ietf.org/doc/bcp78/
[2] https://datatracker.ietf.org/doc/bcp79/
[3] https://datatracker.ietf.org/doc/rfc6701/



_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org
This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you.

v2.35.0 | Report a Bug | By Email | System Status