IETF Logo Mail Archive

[Last-Call] Re: [TLS] Re: Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

John Mattsson <john.mattsson@ericsson.com> Thu, 04 June 2026 07:54 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 47E03FAA266F; Thu, 4 Jun 2026 00:54:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780559665; bh=7urHmSlCu3PILcZ6pfXWcD44umrq+OgQqXt6IyXWw28=; h=From:To:Subject:Date:References:In-Reply-To; b=DpBgLMxIQKcT0l9nm7S7bwx480A0aX46dIjFG0AFh8JrY9ySu+kTqj/oKFx0fZDB3 rIGSjV5Co6BU0+shnx09Rbx5xinlouOysueUB7YcwAkzpy4kpEynSMOZIgl2Mw29Q8 vaXrvICGhcz97yuyWmMih/5JeS8APDHQoWgzgSW8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltfji-A5E-oC; Thu, 4 Jun 2026 00:54:24 -0700 (PDT)
Received: from DB3PR0202CU003.outbound.protection.outlook.com (mail-northeuropeazon11010043.outbound.protection.outlook.com [52.101.84.43]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CBFDDFAA25B9; Thu, 4 Jun 2026 00:54:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=e4Kq874oCPlVtYnH2mqh88SOJXHfkQHzVhbDF0aGPw4hzGnSCyAATnc/AY28MTYmRB6sZZRsN0Lr0NkUNklpCl9biqO7rdD0z6L9rrJFwPUsdPCV/AiT1A1oYprLT9cQrM5Zn7sQv+4q4F0Exgd1kFEwiKyd+PZnxTQQNSnQTnNKV0dgG+9JDcyfOpPimghQYZooQvOiKu3bQ2K1ykl2v2UpEh2xptXfdcJL+/4qqbseY2Nv3IiS+hl3mE0lZGoATGStfe+6NUepBprt8XQlojEnfgNpG4/MTCflzYcGC/cXuJs5wRYSYo+ACwIrmedp0M2MTYHS4J1sGhpXzeI4ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7urHmSlCu3PILcZ6pfXWcD44umrq+OgQqXt6IyXWw28=; b=Msr87uiy6IFVKFKRoIL+2lxaClwGbSPxOL+AyfPAdlJ4aKnzhrsR0bijG8GvG2pf13o5Z8XktcohsJOUULDYYhybLFscm31NkWtMBF1cXIXquiZPvp6Sie4FQuRtZRgI3O3A2xtTTqKFRBcigjqliN8OkFyWk7+soGc3XTj4G9AwFifYj5pEdcPpR1j1joVaUHTipJwgB4MxJ5aGYDy0p97krgroZCiTyYkps4CHIry6p4Mg/fNYv+fPF0bIHNqdZt67B2LW+fa4dKmClCNkwbl9cjD4R2LwhdT0VKQx/jKSpktJdnbB5WAF+feRhr0PLloCHfivgePuGcRsos0bpA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7urHmSlCu3PILcZ6pfXWcD44umrq+OgQqXt6IyXWw28=; b=TaTxhKaqskFbFFQ+1jor8Esy7dUgWCPQtfoJQ0im0Mw8wHMqh/1lTOd1hHUitj6UWpXsrv9pvPxP/dQ29NI3exeiP7iJ6kzFYWA6QPimyYp5C3ULIxiq1j0ewoCrXACWDSt4ocMqfNlwoAXDCUHQnBq1L5f60eUZE1tLDIAEE4+4SZ5Kml+YxXmjZIhRyhjzWUdHghM8AISU54E9Ba3DuLTRS8pLxyHVp0Z7WuJJhu77QGKM1RK2TDaHuDVcj3b9HO6SGlVavYZYVjyUHXGW936Xl1nVrScEOgb2j5Y5HZ3fU5uxtL5dKibiCYO3n8fvIr9Xq+PXVhtOv2xcZxDkag==
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com (2603:10a6:20b:4f3::15) by GV1PR07MB8950.eurprd07.prod.outlook.com (2603:10a6:150:3d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.7; Thu, 4 Jun 2026 07:54:08 +0000
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174]) by AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174%6]) with mapi id 15.21.0092.006; Thu, 4 Jun 2026 07:54:07 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "tls@ietf.org" <tls@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: [TLS] Re: [Last-Call] Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
Thread-Index: AQHc87XEgs9RwEfF0E+CuXVkk6R+wLYt/QMi
Date: Thu, 04 Jun 2026 07:54:07 +0000
Message-ID: <AS4PR07MB882567F6B8F3C4D99580197789102@AS4PR07MB8825.eurprd07.prod.outlook.com>
References: <20260603232934.2368794.qmail@cr.yp.to> <6cbe67aa-c3a2-4d4d-98dc-f4d14c544676@cs.tcd.ie>
In-Reply-To: <6cbe67aa-c3a2-4d4d-98dc-f4d14c544676@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS4PR07MB8825:EE_|GV1PR07MB8950:EE_
x-ms-office365-filtering-correlation-id: 8f38b947-5e92-4cf0-9ecd-08dec20e74dd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|8096899003|4143699003|56012099006|18002099003|22082099003|11063799006|38070700021;
x-microsoft-antispam-message-info: I30HrofwEe3BzqR2+soljGRURnnmkQNlsqV33UQsbGyXsW0dIeDoU6mVEc7wzDdSUQluYhQqye260DY7uFU8fsj8Dr3omjGpjAxILPGIFGWUqMERpfOfKD0ZfIRIWNUlJtsnizP6zoG9TsWxo4wVU56MNkos/sPanRpJGVfzfELc9gdke8sVKQTC5of+zV5kFNZi9L6pr8alOeGhEDz5IGYwLftG4DH2ewwSbKGZLEXWbDUmMqigM+X3e7zYIUJmMIRgoMENi7fcPH1jPpBU/vuGAf8uok4R3hQFBJLUAnBJ8wTj1D4JKN/v43mllb0pk9UsU0tFLmhnfQIZMB1veE+hKfYCBh01TuR+io827mzbvY5D5IRcpSecq30JVxeCL0X+zAQuZ38DAn/Xep9u3iI8Kyas/65nVgN0yP+DIREshFiBvTn4uSRuBZgA1twyqRYbMBC2vvL6QZp+cLDCzOcrL8bWx/tPHObcMurGhT9yUfrTJOVowRUPImYe7U0Z7UwSDFBK4DNbb6stpL3c9IewI7TxeAZlz/AH5Xe7Q3Wa8XOiiDarhyO08DCBCkLeYdd+Bq7rmmrjmjSDwjsyGMsG4GQYBEIMHGlul1QBcXeKUQbJa3DIgk1L6tKVR6EcfHEp58dtfIdScz/IRsBI7IZqIdX+HItpdCAMqY8TKFnsqvlOujwgsVnVFUcRdiGiAMqnDK5JV3rnd1lVwnExRgRdu5WWTeWSWK46u64aZEBIiLCJPQlUzMD4/YWAs0cz
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR07MB8825.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(8096899003)(4143699003)(56012099006)(18002099003)(22082099003)(11063799006)(38070700021);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IkGJRT3DbQxEFIyb6VAp7xpZ6xIbpqS8hwRmUny3TkY4xkbStEHeVt4aQZPKv8WPxmK2PPv5DULy3d/not8dTzLSh3TsEfyQkn3/8Veg3ny7hmXXroWD2k/fr5NSakGjVU3F7OvlkhsZ1Y1o6upzhxTQADQVuRPQ6jYl09Tmo60QmOtxSu/6SDI8/dv41xCM+jOvnH27jgpgzKnhLBOczt0f63fixD6eYpfj/a36BuXSBpTsv3Y4mhJmCyKJobnxwNYW5VTmhQsofDP4xRb5mx1F7cFAxWzaRAZro+J3NRJSQbisGrooUqfVTKmpv2ybmhBkyzcEmN8Vubay+m5eSLKofHkNpBzH2srIOe8rOEvOyGTmfE7DkFN6tgp49J1AFyIlYWdKmg2qy9ybOlPY4Q2/vnzLtbzpdtDwmoN/h2Vb1EGHWMTaFyLs7i+JnA7nAPRqD4i/Q88JR6NArRiq9MI9vcNIP20FjJuy4gGkYujhfdAgKQJ/GvRdeFhG9oIU/DmPJjjbeUWb++xCs6SZ7segABT2+c/UvZuvV1kzTCbDR93zCJ1+r0PCm+ZBkan7cAnN7P+Hde2u3D+z65L3Sh7GqiK5Iq88w40C1JrQPKUTnxq/fy3YHP2p2VzaZg4sWYmq6NuuGDc3etjHbnJnsH8sqw3xvMLZmozeG5886HNI18Y8xWXHePRq06mJ42HtVL0rZHx4shTYua2Mfnc858gkekqm6A5cO/vKdrueli27NScdooMkm6730qRYBim0iu/MhfmYY7HsqxsELai+LRZ99qNcLz1HW2a6IZjP8EUOrZ7h6Ciy2wHDeYwBLx5lNjbOrUNx0rgMOyFFe5UuXrdqIHn4pbtyBrIKBJmfocW1YHu2Lj/8YCju3672HyKbILTegGSd2aLENnocdqpvwe9oamfycfVvA0Y1XsbJxrMYeLxnFEtgxelK8osrJE/tWxiAQtm9ScgJ27eAeGrfff8s4Vd4CjKMoSLHwRWVvlpgHROl09twYVsjJTKF+5LIG2ei64x/a7F6Q+F1m9NRWHsM03OaTeYUJLW/Sryyg3RoXSyLgRDMa4iJkACEphHn3XIA5X3roQbX0sZrort3r+syLskhAQ6simS4TajXzlD0424qtHYyZeAV8NSjXdZTdatgbkx2R/SoJ0BCIZMMNJLDByKefEep7esXY/4k53IMOcgrMlkM6H6SvnWxLGjjCixC0p/ulb/4a0MJ8FRLjqJyjmcBz9jx4PpTEsc7cS5PBqjq34Fddc0Y9ArUet20cO9FJXpQdHZjw8PheOscti7Zz8xhv2YiecowUFnD3keC4xGbd9MqOW9fqvGlLep5HtBfIV9owjI4lQ/PJYyKWK0PxXFIzGaf55fXqaddObQv0aGR3m0uclcG9M1n57MJyYHLkgE0cG2mFdrde3hE6C21lamjcgzBTBvqFkwX6RxkSCo0u8jlB6c9r2RB8sAicplgUB/nRw/frAm477NzPv6gO+/Xy9WE4IoTL1y7hy7y9FMIRZNkGDhP+xOuIAviv0sLewXBGQxyGKBsxVUDv3KSuvoaJ6vEG7gLGlJOnERna0UjyzaWm0eK9z0oWB6CDzK4qs+vrlTS3JW6eu65ueJXCCstfUVmfFyGpJ+F2RigVq0vnD+3WyZ2nd39HCkwMqym+0hPIpgMu+AHaom2PWJWIfvKzZj7XtweWz7zwohVXTqDCuPi1GlJ8MtDDjq3tkXScvbTIYldhegbcIfzE/mdbxTnP45fTSiRwg+NY+E=
Content-Type: multipart/alternative; boundary="_000_AS4PR07MB882567F6B8F3C4D99580197789102AS4PR07MB8825eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4PR07MB8825.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f38b947-5e92-4cf0-9ecd-08dec20e74dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jun 2026 07:54:07.8864 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ibt9gQIZUBHH9wvfK0o1Q+5dEqYof7b4qaRh9M2uVpfPY5mkS99W8WfdFKN8kwq88cBD+zaNr6k7vwidp5bIgFipTuu3se3P683AoG25ItY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR07MB8950
Message-ID-Hash: GX4WCK7EZBTA5IRQRMQDEOCYN66EG3HZ
X-Message-ID-Hash: GX4WCK7EZBTA5IRQRMQDEOCYN66EG3HZ
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: [TLS] Re: Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/oF8dkbhggnLkegYaePlsh6eVWrU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

D. J. Bernstein wrote:
>(1) common-sense ECC+PQ; (2) damaging security with solo PQ.

You are comparing apples and oranges. Standalone SLH-DSA and ML-DSA are mature solutions that can be deployed in PKI and TLS today. “ECC+PQ” is not a solution; it is a broad design space of potential solutions, none of which are mature.

Please point to a concrete technical ECC+PQ TLS signature solution and explicitly acknowledge that any such hybrid approach would significantly delay PQC migration, to the extent that industry would miss European 2030 deadlines. The PQC migration is urgent. If one believe a CRQC will emerge in 2040, we should already have completed migration of end-entity certificates in long-lived devices to PQC, as we know empirically that many consumer devices have lifetimes of 15 years and will continue to use the public keys with which they were provisioned.

That standalone SLH-DSA or standalone ML-DSA would damage security is very speculative. What is very clear is that draft-ietf-lamps-pq-composite-sigs would 100% damage important security properties, not only compared to standalone SLH-DSA and ML-DSA, but also compared to standalone EdDSA and RSA.

Stephen Farrell wrote:
>There's also: (3) experiment with PQ authentication in TLS while recommending against production deployment at this time.

That is a discussion worth having. Just as there are fundamental differences between key exchange and authentication, there are also important distinctions between roots of trust used for authentication and end-entity public keys used for authentication. Likewise, there is a significant difference between cloud services that can rotate their public keys weekly and long-lived devices that may be unable to update their public keys over a 15-year lifetime.

I think the TLS discussion is too focused on end-entity public keys in cloud services that can be rotated frequently. TLS also relies on roots of trust, and it is widely deployed in long-lived devices where key update is difficult or infeasible over decades.

Cheers,
John Preuß Mattsson

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thursday, 4 June 2026 at 02:04
To: tls@ietf.org <tls@ietf.org>; last-call@ietf.org <last-call@ietf.org>
Subject: [TLS] Re: [Last-Call] Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC


Hiya,

On 04/06/2026 00:29, D. J. Bernstein wrote:
> IETF does not control software engineering. It_does_ control which TLS
> options it will endorse. At that layer, there are currently two choices:
> (1) common-sense ECC+PQ; (2) damaging security with solo PQ.

I disagree. There's also: (3) experiment with PQ authentication in TLS
while recommending against production deployment at this time.

Were (3) an IETF-consensus position, IMO publishing this document as an
RFC would not be problematic.

Cheers,
S.

v2.46.0 | Report a Bug | By Email | System Status