This is a complaint to the TLS chairs under Section 6.5.1 of RFC 2026.
I am cc'ing ietf@ietf.org for transparency.

(I would normally use tls@ietf.org but the TLS chairs are censoring that
list. That censorship isn't the topic of this complaint, but it's why
this message qualifies for the "more appropriate list does not exist"
provision of the ietf@ietf.org charter, RFC 9245.)

## Background: failed WGLC in November 2025

Email from the chairs to tls@ietf.org dated 05 Nov 2025 10:51:13 -0800
under the subject line "WG Last Call: draft-ietf-tls-mlkem-05 (Ends
2025-11-26)" said "This message starts a 3-week WG Last Call for this
document. ... Please review and indicate your support or objection to
proceed with the publication of this document".

At least eight TLS WG participants, including me, stated unequivocal
objections on list to the document during the last-call period, as the
following quotes illustrate:

* Thomas Bellebaum: "I **strongly oppose** publication of this document
  as is."

* Daniel J. Bernstein: "This document doesn't serve any of the official
  goals in the TLS WG charter. Most importantly, this document is
  directly contrary to the 'improve security' goal, so it would violate
  the charter even if it contributed to another goal."

* Stephen Farrell: "I'd prefer this not be published at all for a few
  years at least."

* Simon Josefsson: "At this time, I believe that non-hybrid PQ KEMs are
  a security risk."

* Benjamin Kaduk: "I do not support publication of this document at this
  time; see the 'discuss' points for specific items that IMO should be
  blocking."

* Watson Ladd: "I think there is no real reason to publish this
  document, and publishing sends the wrong signal about hybrid vs not.
  We should not publish it."

* Kurt Roeckx: "I'm also opposing this. There is no reason for this
  workgroup to get involved. We should only publish it if we think it's
  actually a good idea, and I've not seen anybody arguing that."

* Muhammad Usama Sardar: "I do not support publication in its current
  state ... Introduction and motivation is too small: literally two
  sentences. That's clearly insufficient. Sure, I'm not a PQ expert but
  an I-D is not for experts only, isn't it? If compliance is the
  motivation, it should be added in the introduction/motivation with at
  least one pointer to authentic reference of concrete regulation."

The chairs sent email dated 7 Dec 2025 20:39:00 -0800 admitting that
there was not consensus to publish the document: "The working group last
call for pure ML-KEM has concluded, thanks to those that participated in
the discussion. In summary, we do not have consensus to publish the
document as is."

To recap: The chairs issued "last call" for objections to publication of
draft-ietf-tls-mlkem-05. There were many objections to publication. The
chairs announced, correctly, that the WG did not have consensus to
publish.

## Problem #1: Improper second WGLC in February 2026

Email from the chairs to tls@ietf.org dated 12 Feb 2026 11:05:22 -0800
under the subject line "WG Last Call: draft-ietf-tls-mlkem-05 (Ends
2026-02-27)" announced a "second Working Group Last Call for the pure
ML-KEM document (draft-ietf-tls-mlkem-07)".

As far as I can tell, the "05" in the subject line was a typo. The
sequence of events was as follows:

    * The -05 document failed the "last call" in November.

    * The document remained idle for months with no WG discussion.

    * Last week, the document was suddenly superseded by -06, which 15
      hours later was superseded by -07. Half an hour after that, there
      was this "last call" for objections to publication of -07.

Muhammad Usama Sardar asked the chairs to "start a new thread with the
correct subject". The chairs didn't reply.

The changes from -05 to -07 are minor and clearly do not address the
objections that had been raised. For example, the introduction and
motivation are still just a single paragraph; there's no pointer to the
claimed "regulatory frameworks that require standalone post-quantum key
establishment", never mind the question of whether such regulations can
or should override the WG's goal of security; and, most importantly, the
changes to the document do not address the objection that this document
frivolously incurs unnecessary security risks.

The chairs had previously announced that they planned a second WGLC.
The mere fact of having a second WGLC is not what I'm challenging here.
My complaint is about the chairs issuing a second WGLC _on a new draft
that fails to address objections that were already raised_. (This
failure appeared only last week, so this complaint is well within the
two-month RFC 2026 deadline.)

Issuing a "last call" for objections to such a document is telling
observers, falsely, that previous objections _were_ addressed.
Misinformation has no place in IETF procedures.

Such a "last call" is also inappropriately imposing burdens upon
opponents of a document, tilting procedures in favor of the document.
WG participants who already objected are being threatened with having
those objections ignored. Simply reading the prior input finds one
objection after another that's clearly applicable to the new document,
but the chairs seem to be pretending otherwise, so the only way to make
sure that the objections are not forgotten is to reiterate them---which
is a waste of time for everybody, starting from an improper default of
treating silence as approval.

Expected corrective action: End the current "last call", admitting that
the input already provided shows a lack of consensus to publish. Do not
issue further "last calls" regarding edits of this document unless and
until prior objections are resolved.

I should note that a document proponent has proposed a "reset" to issue
a new "last call" and discard all previous objections. This would share
the feature of ending the current "last call" with failure, but would
exacerbate the underlying problem of ignoring objections.

## Problem #2: Invalid limitations on the second WGLC

The chairs are issuing "last call" for objections to publication of
draft-ietf-tls-mlkem-07. Publishing the document without "rough
consensus" of the WG would violate RFC 2418, which says that WG
decisions require "rough consensus".

Unfortunately, the chairs have been corrupting the consensus evaluation
by making statements that are discouraging input to the "last call". In
particular, this is improperly discouraging objections. Note that this
is a separate problem from prior objections being ignored.

Concretely, the "last call" included the following sentences: "The main
focus of this WGLC is to review new text providing more context around
the use of pure ML-KEM.  For those who indicated they wanted this text,
please let us know if the new text satisfies you and if you support
publication."

My initial reading was that these sentences are merely soliciting input
regarding a particular question, not limiting the scope of the "last
call". Saying "main focus" isn't a limitation. Quite a few people
(including me) have already filed objections to -07 during the first
week of this "last call", as the following quotes illustrate (some
overlapping with the people quoted above but also some new people):

* Daniel J. Bernstein: "I object to the proposal to publish
  draft-ietf-tls-mlkem-*".

* Stephen Farrell, explicitly repeating: "I'd prefer this not be
  published at all for a few years at least."

* Izzy Grosof: "Do not endorse or standardize any non-hybrid
  post-quantum cryptosystem".

* Simon Josefsson: "I don't think the TLS WG should publish this
  document."

* Nadim Kobeissi: "I would like to register my objection to the
  publication of this draft."

* joshua@marionberry.net: "I do not support publication of this
  document."

* Kurt Roeckx: "I still object, still for the same reason."

* Muhammed Usama Sardar: "Unless the above happens, I *oppose*
  publication of -07".

However, Paul Wouters with "AD hat on" then sent a message (dated 20 Feb
2026 10:00:48 -0500) that sounded much more restrictive. The message
started by claiming that "the goal of this 2nd WGLC is to focus on the
new text changed in responds to the conclusion of the 1st WGLC", and
repeatedly reiterates the same claim. The obvious effect of this claim
will be to discourage participation from people with objections to any
aspect of the document _other_ than the new text.

There are many obvious question here about what happened. Was this AD
statement coordinated with the WG chairs? Did the WG chairs _intend_ to
discourage participation? Did the WG chairs _intend_ to corrupt the
evaluation of consensus regarding publication of -07?

What's important for this complaint is that the "main focus" paragraph
from the WG chairs is damaging the consensus-evaluation process, whether
or not that was the intent.

Expected course of action: Immediately retract the "main focus"
paragraph, in favor of emphasizing that feedback is of course welcome
from WG participants regarding all aspects of whether to publish -07.
Of course, ending the "last call" (see above) will render this moot, but
doesn't have quite the same level of urgency.

## Problem #3: Invalid decision regarding the first WGLC

The same message from Wouters also included an astonishing claim that
the November 2025 "last call" had "passed WGLC": more precisely, that it
"passed WGLC provided some clarifying text would be added that stated
that for the general use case, hybrids were preferred".

This claim is out of whack with the WG chair summary of that WGLC ("we
do not have consensus to publish the document as is"). The message from
Wouters continues even more bizarrely by fabricating an appeal process
regarding this supposed claim of consensus on edited publication; what
Wouters cites for that is actually an ongoing appeal process regarding
an earlier claim of consensus to _adopt_ the document.

Furthermore, it is procedurally improper to call for consensus on action
X and then retroactively declare consensus on action Y. Shifting to a
new proposed action requires discussion of _that_ action, followed by a
new "last call" for objections to _that_ action.

Despite all of these reasons to think that Wouters is simply wrong, it
seems _possible_ that Wouters is referring to some secret decision by
the chairs that the November 2025 "last call" produced consensus to
publish. My complaint in that case is that (1) this decision wasn't
announced, (2) the justification for claiming that there was consensus
was never provided, and (3) the claim is wrong. There has never been
consensus to publish this. (The failure to announce the decision until
now also means that this part of the complaint also meets the two-month
RFC 2026 deadline.)

Expected course of action: Reiterate that the November 2025 "last call"
_failed_, i.e., showed a _lack_ of consensus to publish the document.
Explicitly state that Wouters is wrong in claiming otherwise.

---D. J. Bernstein


===== NOTICES =====

This document may not be modified, and derivative works of it may not be
created, and it may not be published except as an Internet-Draft. (That
sentence is the official language from IETF's "Legend Instructions" for
the situation that "the Contributor does not wish to allow modifications
nor to allow publication as an RFC". I'm fine with redistribution of
copies of this document; the issue is with modification. Legend language
also appears in, e.g., RFC 5831. For further background on the relevant
IETF rules, see https://cr.yp.to/2025/20251024-rules.pdf.)