[TLS] Re: PQ Cipher Suite I-Ds: adopt or not?
Eric Rescorla <ekr@rtfm.com> Tue, 24 December 2024 18:56 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F84C15171B for <tls@ietfa.amsl.com>; Tue, 24 Dec 2024 10:56:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 94ezLTipVKNI for <tls@ietfa.amsl.com>; Tue, 24 Dec 2024 10:56:28 -0800 (PST)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB049C151552 for <tls@ietf.org>; Tue, 24 Dec 2024 10:56:28 -0800 (PST)
Received: by mail-yb1-xb2d.google.com with SMTP id 3f1490d57ef6-e3c8ae3a3b2so4472526276.0 for <tls@ietf.org>; Tue, 24 Dec 2024 10:56:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1735066588; x=1735671388; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gwkn6eG/F3+w1X88CLk1KFG3lMr7c1mUYLwNzaAqkyg=; b=relymffYpckLjqLGa/apf5P5tCMhCO4FUnEKUCrrxYvVRNwme1e3RPLDY6mo8jiNGC 1MrYGip15XKOUE3QfEImzdr86WjnnoT0cdfbyiAwbz93AuBEoZ/DHZY3eWrx3CsgkXaD 8PG7P5B62xvPAZ6fDyHY6F38UkO75i/euSJDEWotHZR+ZqEVF8qLLjsiwVU7IwQRjegp Y+tbMp8VI4Rz3E7//UX8l8vzITBddr+HKO2MDG/l4nZ8VPoTMzPogp2XxPPfPqwbHYi0 QHr1vaBx84dB/ti0xnBJmMgwSripzkCFbuUmjxNCE1p1g31cJIEwRUPRY7a37GDL3cyL na7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735066588; x=1735671388; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gwkn6eG/F3+w1X88CLk1KFG3lMr7c1mUYLwNzaAqkyg=; b=IsZ4xZhqRFeSG0UXqVtDUy08YJNVOSGZx88y0n1wWf4tjjcT0LusaPVhwpGyknTBUH xdOHLEhaCyD1+dq7BhZ+ZGc2+FzRkZemNUJDtmuWP7/9cusNcyVB5ZlB7TdX7h6HnOJ5 iPLvIV/CIFD70t48neVGtVPF0XrfexV7aDogmHBJKW5slYWbG+enOepxGuasPg5ymeBg RZ/JIlJHudclkYBTJG3jiTcVSSWCDXjv/KFBtT9m7RJReon0w8wpRAg0QiwTLM1l59mi qSgg9Tcrmahy9EvjuR6neLbg7ADCSRrKVKiE/fVuGBH8AMQD8FbNKkoSZ5Dl2qfZuJAV iTVw==
X-Gm-Message-State: AOJu0YwZ4/DxN43LTAv9kK6ys92s1OyAEq/ngRX0N0GKa39FCil8YqIG VHtfXTVw6LHQgGhXoG81y91r+s/jRoHe7FGg0n5J/rsjZuJkAydmDOyQ1+uzRNGhhr9j65kOg4b H8H8EC3rRjCNyZVh6/ZtoN85cxGZxbGQeJUOiuhkZPiNDaqvQ/GJsTA==
X-Gm-Gg: ASbGnct4PgFzTY+/hdYLcvDzxOec2lUAMzv/24PM0o1KaVzPkvGY0d8g2ejuvKvAk5D FvBHG+e2E+0OoQyRQwpAncbVKdJ2+LnVuZLpi+qnh
X-Google-Smtp-Source: AGHT+IEeyrOYJ0iE0DYxQdG9k0iYXlPwcdqU+uaIQagVgBYHjbwONk2bw7EE2IulFVOqatbCM3BpozKkRLxPBa9SI+g=
X-Received: by 2002:a05:690c:6203:b0:6ef:6bdf:36d8 with SMTP id 00721157ae682-6f3f823949amr133479537b3.36.1735066587922; Tue, 24 Dec 2024 10:56:27 -0800 (PST)
MIME-Version: 1.0
References: <10A06A24-8126-47B9-B187-55F4288DBBF2@sn3rd.com>
In-Reply-To: <10A06A24-8126-47B9-B187-55F4288DBBF2@sn3rd.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 24 Dec 2024 10:55:51 -0800
Message-ID: <CABcZeBPGXuzzy4OHrLmW0Lgw6C-3F9LtP4eohpJDuNHLb_N-ig@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="000000000000a29cad062a08abba"
Message-ID-Hash: AVWQOYHT2QZBKBBWIZ7QXI634FERN26A
X-Message-ID-Hash: AVWQOYHT2QZBKBBWIZ7QXI634FERN26A
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: PQ Cipher Suite I-Ds: adopt or not?
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zeSBeeqB2BrRsWhKQM8hfKIff48>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I think we should do an adoption call for: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/ Key establishment is the most urgent need and I think the WG has a clear appreciation of the implication of adopting these drafts, so it's ripe for a call for adoption. I'm much less enthusiastic about the pure ML-KEM draft than I am about the hybrid draft, but I think a call for adoption is the appropriate way for the WG to make the decision about whether to adopt both drafts or just one. I think we should hold off on the signature drafts for a while longer, both to allow the WG to prioritize key establishment and to make some space for thinking about the right direction. -Ekr On Mon, Dec 16, 2024 at 2:00 PM Sean Turner <sean@sn3rd.com> wrote: > Note that there are three parts to this email; the “ask” is at the end. > > Requests: > > Ciphersuite discussions in this WG often turn nasty, so we would like to > remind everyone to keep it civil while we explain our thinking WRT recent > requests for WG adoptions of some PQ-related I-Ds. > > Also, the chairs are trying to gather information here, not actually do > the calls. If we decide to do them we will do them in the new year. > > Background: > > Currently, the TLS WG has adopted one I-D related to PQ: > Hybrid key exchange in TLS 1.3; > see https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ > This I-D provides a construction for hybrid key exchange in the TLS 1.3. > The I-D has completed WG last call and is about to progress to IETF LC. > > There are a number of Individual I-Ds that specify PQ cipher suite for TLS > currently being developed that specify either “pure” PQ or composite/hybrid: > > ML-KEM Post-Quantum Key Agreement for TLS 1.3; > see > https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/ > PQ hybrid ECDHE-MLKEM Key Agreement for TLSv1.3, > see https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/ > Use of Composite ML-DSA in TLS 1.3; > see https://datatracker.ietf.org/doc/draft-reddy-tls-composite-mldsa/ > Use of SLH-DSA in TLS 1.3; > see https://datatracker.ietf.org/doc/draft-reddy-tls-slhdsa/ > > The IANA requests for code points in the I-Ds (now) all have the same > setting for the “Recommended” column; namely, they request that the > Recommended column be set to “N”. As a reminder (from RFC 8447bis), “N”: > > Indicates that the item has not been evaluated by the IETF and > that the IETF has made no statement about the suitability of the > associated mechanism. This does not necessarily mean that the > mechanism is flawed, only that no consensus exists. The IETF > might have consensus to leave items marked as "N" on the basis > of it having limited applicability or usage constraints. > > With an “N”, the authors are free to request code points from IANA without > working group adoption. Currently, five code points have been assigned; 3 > for ML-KEM and 2 for ECDHE-MLKEM. > > While there have been calls to run WG adoption calls for these I-Ds, the > WG chairs have purposely NOT done so. The WG consensus, as we understand > it, is that because the IANA rules permit registrations in the > Specification Required with an I-D that there has been no need to burden > the WG; there is, obviously, still some burden because the I-Ds are > discussed on-list (and yes there have been some complaints about the volume > of messages about these cipher suites). > > There are a couple of other reasons: > > * The ADs are formulating a plan for cipher suites; see > https://datatracker.ietf.org/doc/draft-pwouters-crypto-current-practices/. > > * There are a lot of different opinions and that likely leads to a lack of > consensus. Based on discussions at and since Brisbane, we do not think > there will be consensus to mark these ciphersuites as "Y" at this point, > however the working group can take action to do so in the future. > > * There have been a few calls to change the MTI (Mandatory to Implement) > algorithms in TLS, but in July 2024 at IETF 120 the WG consensus was that > draft-ietf-tls-rfc8446bis would not be modified to add an additional > ciphersuite because the update was for clarifications. > > * Adopting these or some subset of these I-Ds, will inevitably result in > others requesting code points too. The WG has historically not been good > about progressing cipher suite related I-Ds, either the discussion rapidly > turns unproductive or interest wanes during the final stages in the > publication process. So while there is great interest (based on the number > of messages to the list) about these I-Ds, we are unsure how to avoid the > inevitable complaints that would follow failure to adopt or not adopt a > specific I-D based on different requirements of different individuals.We > know some of you are thinking that that’s “tough”, but if we do not need to > have this fight, see the previous paragraph, we do not see the harm in > avoiding these complaints. > > The chairs would also like to note that currently the WG consensus is to > NOT port PQ cipher suites back to (D)TLS 1.2. > > Ask: > > Is the WG consensus to run four separate adoption calls for the individual > I-Ds in question? > > The Chairs, > Deirdre, Joe, and Sean > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Salz, Rich
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Kampanakis, Panos
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Martin Thomson
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Rob Sayre
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Stephen Farrell
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Kris Kwiatkowski
- [TLS] Re: [EXT] PQ Cipher Suite I-Ds: adopt or no… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXTERNAL] PQ Cipher Suite I-Ds: adopt … Andrei Popov
- [TLS] PQ Cipher Suite I-Ds: adopt or not? Sean Turner
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Russ Housley
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? John Mattsson
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Watson Ladd
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Sean Turner
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? D. J. Bernstein
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Bas Westerbaan
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Alicja Kario
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Sean Turner
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Sean Turner
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? D. J. Bernstein
- [TLS] Re: [EXTERNAL] Re: PQ Cipher Suite I-Ds: ad… Andrei Popov
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? John Mattsson
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? D. J. Bernstein
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Salz, Rich
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? D. J. Bernstein
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? D. J. Bernstein
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Salz, Rich
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Watson Ladd
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Watson Ladd
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Loganaden Velvindron
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? tirumal reddy
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Kris Kwiatkowski
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Loganaden Velvindron
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Bas Westerbaan
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Eric Rescorla
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? S Moonesamy
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? S Moonesamy
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? John Mattsson
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Scott Fluhrer (sfluhrer)
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Rob Sayre
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Dan Harkins
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Sean Turner
- [TLS] Re: [EXT] Re: PQ Cipher Suite I-Ds: adopt o… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Scott Fluhrer (sfluhrer)
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Eric Rescorla
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Eric Rescorla
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Alicja Kario
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Bas Westerbaan
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? D. J. Bernstein
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Salz, Rich
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Dan Harkins
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Bas Westerbaan
- [TLS] Re: PQ Cipher Suite I-Ds: adopt or not? Sean Turner