[TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3

David Benjamin <davidben@chromium.org> Fri, 10 April 2026 13:54 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9A1C9D97A741 for <tls@mail2.ietf.org>; Fri, 10 Apr 2026 06:54:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775829271; bh=bJ2gcPTNppmwXQB/X4WIkaAOWmQshogP+YKaVFaJE6I=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=Qw0Fb1lu4bEIqrZGSHSUOXIgDcrMJSnY/0Gh6Lhz5EPpYIkFUxC9M2uqZ6l2yBAf8 LyRZMkZpWcuruslHyWrp3Tf0Z3EwK3LKmWH2LxIWXt7KM7zTI4B8U/KQ3+dWv45x2T XD618L4dBMZ3SJfO3BiGz/3ltdjT4Ss4YRdgzWgA=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -9.499
X-Spam-Level:
X-Spam-Status: No, score=-9.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JeGzxLL_GSPs for <tls@mail2.ietf.org>; Fri, 10 Apr 2026 06:54:31 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6224BD97A6F7 for <tls@ietf.org>; Fri, 10 Apr 2026 06:54:03 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-50d8da3e656so20311501cf.1 for <tls@ietf.org>; Fri, 10 Apr 2026 06:54:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775829237; cv=none; d=google.com; s=arc-20240605; b=H7uM0nBXjy9zBBg7cobCk9gKU/6/FoilTvZ9mbVP8TV1I9DdEqn0G92DneV2cG9We2 +lWHvz+adhsWE9OERdjnmesj+C6X8e4wxnc00oqeRNl7qNh/vGVzXSyTqmzMXbmQ4CcZ DJLwJ0a5VbIbuAP7IGP4Wfq+RQOTu8UY1MpQUOUCWFqduCXK+EVisZ4Xxz/FXqwhW1zt 9FqgvAcAHMs6rEcCsC/v3uv1vsskAfoeorGbJjYEPdHJaalWepS4aHvGUvWCq3QXFeHm arbWQTMvadpTHKy/bIckz6TXelxWnL361Bh2H0zk95AbXybLaNr1MIdTF6wfXEa5J6B1 e37g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=nxsCw5GSivLkZwtlc+88dfu2/1xP6uOIDDuAV8NrTWk=; fh=OH74M08QGDwIVj6mx+cfTnJg81tmuAA+tY94f3RK6tw=; b=hNFjcWQD4C+m561hYY6dvsCZLJOtUsXe22wG5kjPra/OeU98VZ0lydO9dMZIRawYip mtlMxUo508O9JqoEZxWO4jDvTvEbJJIZHVnYHMUb3jQ2dYruGs54CtApoEFOq6//4Gfg l58vqvHhTXx+PIxzcYqfavKIuAb9w5Eg4EOk1+IiNIJvuKCin/P0mzJW2pF0wbBInUZs Z7fw7IOpZE+fcgXMjPSV4vbiMRdjelEQ3h54S71rKI4WKWmxO7WFf/eGozyL5AVSvYIU J++NS6SI8Hgc3vNoyIs0vKIBeatkXBheKFtTC6oBDr3vfBgiIIuBZQSqOuTmhXFv6mQ5 Csyw==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1775829237; x=1776434037; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nxsCw5GSivLkZwtlc+88dfu2/1xP6uOIDDuAV8NrTWk=; b=EoXXA3w7ev2g320CT8dCafVY2jmaF7jVp8Ezf64jHTHivsEWztSgjZjzs6ey+JIgd8 w8CthzxqqhotzPgyLzK8nHVgRfK/5/tL7yVG4l/blshwQMGIEk+6fdhfMaSRYp8hp+y5 mQVei3p0GdVabgTL0hURd8330R96apW7+Ys/E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775829237; x=1776434037; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nxsCw5GSivLkZwtlc+88dfu2/1xP6uOIDDuAV8NrTWk=; b=cE9oeWVQXdVhnpbOk/uZv+VIO564akP9Q4roSYTupOlDoDQoB23ZBTpTN5zbuevYgI tdT+9LvXg9JOijPr2AFtNCr3D3GFVrLhjpXH8SRwTdfVN5eAg94b7W8RWpf88JWF9GxE NGMB/ZmEGNMUGJM6+bJ0HtcDMUe1R1JT7Yh+yfoHALcPOuBdGOYh/NVeIVk5A1WE29z6 ZoOnIk4aFyAGwiiNoqtYqCn3lC958vfECq4nGWHebAKh66/OdsK0DikzyuL3Zg20Mg/o rUSMALiBaXob2FVf7C/idWzjTbcdliiF5yTdtuECKwLX5YnzODA52SyTuvV2bZ7fm8rc cGrg==
X-Forwarded-Encrypted: i=1; AJvYcCWtov16YDsqNfFMptPtBxIwKDFEfIZ+YMQUxKCroUlR+vvcvUzxXKnAoNMqMX7Vxr2BwKs=@ietf.org
X-Gm-Message-State: AOJu0YyUxOsP9DbTTmDbRdZKQ5DPI2akFL+dQKFnfVKRDDC5kPDoxzIC kjGQ5hB8UsTaX/4YCvoYPcac0GsEiDWwpZ7zUo3BogtVaewGeAohF4NaDq7awdZTBMROuiyxsuJ yoXHB5EpyW8t50h1+VXEFKJ+zKRh26cezk/onp4sv905sAn7GYoSHiKs=
X-Gm-Gg: AeBDietGmr7hFdAOb+S+uaFphanOI0RfNtQn4tqbsIZheXP9BYkKDP3NNeMQUKTXK8W CrnMn4qc0hDDaY7XOrvhe2k8alySxun0q6/fSVGElVxx8z6J/580fZJfIPu7NVZNdGJCL9JzkKU L2/n/uc6rbjKPos8VIz3qmYcLaPRHcc2vHiPPgW+44MKbdBOBgzvrMedzTYeCo0MoacBQ8Jxj39 ofSMmZ2yA6NXD5xHMv42+R2f6f5G0z3YuiJFv7ZJUjYOWQh/fqVVeLQnPOmnr2ugZCw03yEVM6n E4iOpJtc8GUiGsdegMo09fbrp3gWERk+hVIBdPXdWEPCcLln8gUJLR0=
X-Received: by 2002:a05:622a:4110:b0:509:2053:ab60 with SMTP id d75a77b69052e-50dd5bba00amr52789661cf.47.1775829236664; Fri, 10 Apr 2026 06:53:56 -0700 (PDT)
MIME-Version: 1.0
References: <16CF0FDA-7263-461A-9F2B-D37DBEAF5DD9@sn3rd.com> <25c8d414-e4c8-455b-bd64-28132615ba75@cs.tcd.ie> <68f49a81-dd2c-4bea-896a-87da3e6aff68@tu-dresden.de> <CAMjbhoWwvfkfScpbf4-5PBzk__qb+6M4ZzAOba64kk9aXBba5g@mail.gmail.com> <d47a34ab-7fb9-4687-84aa-a5fa6bcf6a6c@tu-dresden.de>
In-Reply-To: <d47a34ab-7fb9-4687-84aa-a5fa6bcf6a6c@tu-dresden.de>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 10 Apr 2026 09:53:42 -0400
X-Gm-Features: AQROBzAat1JspqBQAf8z23cWuHG3eXWK7Y39aDspeIGQFmWbiV8NRo9Lx9O_-EU
Message-ID: <CAF8qwaAFbx5kEZ_0D56yhimwQrbvzo9-NeS3P8gyczA8yR0XYQ@mail.gmail.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Content-Type: multipart/alternative; boundary="000000000000d668fa064f1b76d0"
Message-ID-Hash: HFE4Y3WBJTDEFS4RDC26SQ7GVW7MFAPW
X-Message-ID-Hash: HFE4Y3WBJTDEFS4RDC26SQ7GVW7MFAPW
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zVc4JsEXvPbH7mcWiP7i9Zl_luE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Fri, Apr 10, 2026, 09:07 Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:

> On 10.04.26 13:08, Bas Westerbaan wrote:
>
> # *Some editorial nits*
>>
>> Please move Sec. 3.3 to Appendix. Title has TLS 1.3. I was surprised to
>> see TLS 1.2 which has nothing to do with the title.
>>
> The section contains normative language and would be out of place in the
> appendix.
>
> Sorry but this may be a misunderstanding (either mine or yours). Does
> Informational vs. Standard Track make a difference here? Because for the
> latter, I see ca. 30 normative MUST in in Appendix of RFC-to-be 9846.
> Please correct me if I am misunderstanding something.
>
> We could remove "1.3" from the title.
>
> Sure, that would have worked for me, but doesn't that contradict
> draft-ietf-tls-tls12-frozen? Could we simply remove the whole TLS 1.2
> section? We agreed we will not provide PQC for TLS 1.2. So IMHO, it seems
> completely irrelevant to the milestones of the WG, and the draft should not
> make opinions on irrelevant issues.
>

This was discussed at the meeting, in meeting chat, and on list. We agreed
we will not provide PQC for TLS 1.2. We need to actually do that.

Whenever we work on TLS, we have to always remember that all versions of
TLS are joined at the hip. They share a ClientHello, implementations
typically support a range of versions, and a client sends a single
ClientHello that is good for all versions it supports. TLS versions also
share ClientHello fields, including signature algorithms here.

To define a codepoint in a shared space, how that codepoint interacts with
all TLS versions must be well-defined. Saying nothing leaves it ambiguous
whether the new codepoint applies to TLS 1.2. Remember, a TLS 1.2+1.3
client *will* send this codepoint to TLS 1.2 servers simply due to how the
protocol works. This is something the WG deals with whenever it adds stuff
like this.

That means this section is worthwhile and has a place in this document.

(As a minor technicality, because TLS 1.2 actually constrains the key type
in two places and there are no ML-DSA cipher suites or client certificate
types for TLS 1.2, one could argue those implicitly take it away. However,
this is a subtle point and, in the client certificate type direction,
inconsistently enforced by real world implementations. Thus it is better to
be clear and explicit.)

David