[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

David Benjamin <davidben@chromium.org> Thu, 09 April 2026 19:45 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6D354D8F85BF for <tls@mail2.ietf.org>; Thu, 9 Apr 2026 12:45:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775763956; bh=+wXh20zXjO2nuNkXJtz9IqL8KCWJUPTC1KBIQM91Aeg=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=H97D7X42eMXSm25H58xjkVbIJED2AwbjeiamxjwueD103pdLklwudiqk+8yEJEGvf cYv7Uq2BDQKetc2gRZa5KBfjN5OzjSkpXaHFIQemQdst0Y8nhAf2QF5DiYz9i1I5X1 isDH5dm0SY7IrR1o+8+ba7UbkFAPBO1XrSpuHsF4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -9.499
X-Spam-Level:
X-Spam-Status: No, score=-9.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvQEmFLoBuFo for <tls@mail2.ietf.org>; Thu, 9 Apr 2026 12:45:55 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D631DD8F85B5 for <tls@ietf.org>; Thu, 9 Apr 2026 12:45:55 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-66b2d49ffb0so1584121a12.3 for <tls@ietf.org>; Thu, 09 Apr 2026 12:45:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775763955; cv=none; d=google.com; s=arc-20240605; b=ZtVdjeLTmfzJgV82H65WZndjzSXqivMzLDCns8aYm3/obeDZApFntekwy3xv7l4kFc Hu8mYQ7M79YJDYt9bJ9bFeHUt2kRXlPM5G8BxM/bhzonOx2vFQLJ6TEeiebiSA2gTZFu Tw6+baKbp1XhP/JetYEgUW4HrhgdBBlHkM+oN43y7p7vapC9lAUxMyVegKua5bSsHGwR Viz9tGY97TZ7uwvJdAMm6yI8LdG7Y6Wpq/WB1lUR3p2vvK0+/yl2lTpIgn+v4V9MSAmY jQ9lClWjFcan8gAL+RsjngMb73zlexfd37pNSKUxjZtWffDohuqc8MKXHtRkjMRkx5kV 1CWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=+wXh20zXjO2nuNkXJtz9IqL8KCWJUPTC1KBIQM91Aeg=; fh=SuYOBdIkHszEdtekXXtZeP6ylBCeSJ5MxNDGDrL4nOw=; b=FfiiWVBCuSdKiKorPU4PBf/U+4G22MBdTrc9f7F2Uel0G83utKslo94j9yDz9TTetl PYr2rmzwTLeyz5thsZ5KWG6m8oZsEWBNZaFgjZf5i9NL7Gu7mFSqssgD6UAQz+lMpZNY NPO0cBa1oNkJBMtr1OQF7dcZf5AHVTWo3v6mGy4i0SVpn1TEGRCCXly+o9n31fF5M+MX 6mhh8RYgrul1G5Ps7S8Lgfrqq7J+G/miidDp9PBaYS/9BPIupYshtzs+WWtvoGeiDda+ dwV4UwGG/TkpwL4ut33T8wrsp2VwWTCPhG/cpigdawanwj+EDC+BwyQW0bOovAonGscH /Q7Q==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1775763955; x=1776368755; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+wXh20zXjO2nuNkXJtz9IqL8KCWJUPTC1KBIQM91Aeg=; b=IoHtVUM+f/Yr/ODuOrzMK5/MaQbdSxt/OFcG7g2H9pcs2md3nhPZ4Ta2drvEU2ypkD 2mPonfwvwl/7TVpTwYhdFzQcWBIahpErcXwxbzzchnHyiX/+ox6iM19gUHhCOdY2/Saa uGJxufi3VLwPh/pZezBEp6nWlfZSKH4UY/jmI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775763955; x=1776368755; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+wXh20zXjO2nuNkXJtz9IqL8KCWJUPTC1KBIQM91Aeg=; b=gQ3GFAlz59WLlFnoy+z+uhqpJH+I4Ed8YOMvojYD22ZoDFHkME/RCg5FWeF+rR402b HreIi5ukOm5zcglDvlEszTyTbcSIF0kVrUf5PAx3Sic09i8fg5v69Th6cprOMHY1aNRt V683AFFV+gZju4yl5vwVbfM0AwJ/BjzDQHf+yD0aDLjJqFB+oieQj67NbPNL+cclP2MY lnqH+s4MCaYCtmH1sx/8IrAiqVKzcxblkli4hu0KGqF1N6aP15pqUN1R4Y8G/wUOslbR pe55GO0w6I7s7hzCCv7vVX7mHMC4akNzfGQEg0FKOmO7YqPBI8vhU2rSgckuxwdc78lc balw==
X-Forwarded-Encrypted: i=1; AJvYcCUXzDxmkiF98rZ9R/RjhU4w1D6gWxr8Y/oZBpirqUUmMhnedlJDJYQo6mB6cvujGLo0Ii4=@ietf.org
X-Gm-Message-State: AOJu0Yy2qF7Z9RyY8AvVAkXhXf3xiP84+B+EiWpjKgVgwG/Kbo9ZApMU jzffeWzvM7TtIlTg/h+yU6puA1FX/dYk0fweh/scWTkXW0dJbczcFeh8g0MrPmkZ9fk3lIi+XEo P95yndFvcsSUo1EGOf+BjgjtbYhTMNapTmcCu9a6omBx5cx60kPzLwpdTBQ==
X-Gm-Gg: AeBDiesItYyYmtE3xbzs/SgdFmV23rN3El5mN2om4DuJtsBbRGuNpnuxFrYC8h5hGB4 eDnGv87pUVdtJA66h6vvg6VsPvg1jS7qeT3jFiVJT6XofgffI9uTpWvah9KxUKWQgM6o75IZoYk 6o48HS1MgXqwj2FiFPzFkXkVAtX/eZcH2oq+lGG6Sy+UcDTmHGcNcTCLcTCAnvd4IK/sX/K7/Q0 UwaAsjB4A2McoYKIfLSrHinrQppJhlCe25ycVpfGPbr+yuPISSMN5Ow17Z5spzOiCEqtbIkgyzu OaIG1Km5yy3ZKy3N3BPdclBcIX8hXb0QqVaf6bveM5dMBsFSrvcZb8UPp0kxURoM6NTxMjSMxKi 5193gm35ftTE8+g==
X-Received: by 2002:a17:907:c817:b0:b9c:80d5:f023 with SMTP id a640c23a62f3a-b9d7260e0cemr36344166b.18.1775763954388; Thu, 09 Apr 2026 12:45:54 -0700 (PDT)
MIME-Version: 1.0
References: <16CF0FDA-7263-461A-9F2B-D37DBEAF5DD9@sn3rd.com> <A4D12755-E152-4661-8B32-BD206ADF6F61@vigilsec.com>
In-Reply-To: <A4D12755-E152-4661-8B32-BD206ADF6F61@vigilsec.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 09 Apr 2026 15:45:37 -0400
X-Gm-Features: AQROBzD9THJtKDm9ORP78m7pGGNnBIfJIdFa-PwKDrsq1Hm5TaR4vRzredAKOaM
Message-ID: <CAF8qwaB8PMh6MYTKiJenu0QBn_xKRwmVHthKtWjmtSAa06kCMw@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="000000000000b5abf8064f0c4361"
Message-ID-Hash: 65OXDZU3S7XRDP2W65OXNRQ3DGBH26WX
X-Message-ID-Hash: 65OXDZU3S7XRDP2W65OXNRQ3DGBH26WX
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xmePRdYvtnpdbtVN8J2Iz37namg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I have read the document and support publication as an RFC. I expect we'll
implement it soon.

One extremely minor comment, in Section 3.2, the draft says:

> If the signature or public key is of the wrong length, the client MUST
treat this a verification failure, and thus terminate the handshake with
decrypt_error alert.

This should delete "or public key". The public key is carried inside the
certificate. That means questions of the length *or* contents of the public
key will be resolved at the X.509 layer, either failing in overall X.509
certificate parsing, or in extracting the SPKI from the certificate. What
alert is sent will depend a lot on exactly what is processed in what layer
by the application, so I think it is best to just not say anything. The
signature, on the other hand, is delivered directly via TLS, so prescribing
the alert is in scope. (Even so this sentence is a bit redundant since your
signature verification function had better check the length as part of the
process! *shrug*)

On Thu, Apr 9, 2026 at 3:40 PM Russ Housley <housley@vigilsec.com> wrote:

> I have read the document, and I support publication as an RFC.
>
> Russ
>
>
> > On Apr 9, 2026, at 3:30 PM, Sean Turner <sean@sn3rd.com> wrote:
> >
> > This is the working group last call for Use of ML-DSA in TLS 1.3. Please
> review draft-ietf-tls-mldsa [1] and reply to this thread indicating if you
> think it is ready for publication or not. If you do not think it is ready
> please indicate why. This call will end on April 23, 2026.
> >
> > REMINDER: If you have not done so recently, review the TLS WG's Mail
> List Procedures; see [2].
> >
> > The Chairs,
> > Deirdre, Joe, and Sean
> >
> > [1] https://datatracker.ietf.org/doc/draft-ietf-tls-mldsa/
> > [2]
> https://mailarchive.ietf.org/arch/msg/tls/ucdImHExlbOf4Q3BCG81gjzi2xE/
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>