[TLS] Re: WG Adoption Call for Use of ML-DSA in TLS 1.3

[Eric Rescorla <ekr@rtfm.com>]

On Tue, Apr 15, 2025 at 7:02 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Tue, Apr 15, 2025 at 01:55:35PM -0700, Andrey Jivsov wrote:
>
> > I don't think that standalone ML-DSA should be adopted.
> >
> > There is time to move to a non-hybrid X.509 and digital signatures in the
> > future.
> >
> > This topic has implications to availability of X.509 certificates, as
> > there is a real risk that CAs will prefer standalone ML-DSA to the
> > exclusion of hybrids, and also that other protocols will be limited to
> > standalone ML-DSA.
>
> But CAs do not choose EE keys, the key in the CSR is chosen by users.
>

Well, yes and no. CAs, at least in the WebPKI, will only sign keys that
are allowed by the CABF Baseline Requirements (which, AFAICT, do
not allow any PQ algorithms at present).

-Ekr



> And CAs can start to use ML-DSA to self-sign trust-anchor certs or sign
> intermediate issuer (subordinate CA if you prefer that term)
> certificates whether or not ML-DSA is a defined signature algorithm in
> TLS.
>
> I support adoption, will review, and don't see a compelling reason to
> delay adoption.  Are we likely to produce a materially different spec
> if this is delayed and for how long?
>
> --
>     Viktor.
>
> $ posttls-finger -c -Lsummary dukhovni.org
> posttls-finger: Verified TLS connection established
>     ... TLSv1.3 with cipher
>     TLS_AES_256_GCM_SHA384 (256/256 bits)
>     key-exchange X25519MLKEM768
>     server-signature ML-DSA-65 (raw public key)
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>