IETF Logo Mail Archive

[Last-Call] Re: [TLS] Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

Filippo Valsorda <filippo@ml.filippo.io> Wed, 03 June 2026 17:09 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CE1C3FA32A83; Wed, 3 Jun 2026 10:09:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780506547; bh=CLz1c4o8dQNeW1q9TyrlwKyHWgR9FNTecIIjZOsVo+Y=; h=Date:From:To:Cc:In-Reply-To:References:Subject; b=Q2gQLEXOpQZPrfBWnn2yrk1fEOykyidlh7fri2FQPQXdfG9y4FbyLdK1xqt7diUYM eje/pb/ODvIW4ZtyH980sxultk2P7wlSByLkLb0nXxjUrouzCW/FAUKIQ09dNSUnEV I1swLWROfIDWXQtlBfy6OeR2b2W4Sf2uUWYS1MTo=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b="bGO05eJz"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="H4ZlmgNf"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XjvrvEQS3mF; Wed, 3 Jun 2026 10:09:07 -0700 (PDT)
Received: from fhigh-b6-smtp.messagingengine.com (fhigh-b6-smtp.messagingengine.com [202.12.124.157]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 58F8CFA32A78; Wed, 3 Jun 2026 10:09:07 -0700 (PDT)
Received: from phl-compute-09.internal (phl-compute-09.internal [10.202.2.49]) by mailfhigh.stl.internal (Postfix) with ESMTP id 8202C7A0109; Wed, 3 Jun 2026 13:09:01 -0400 (EDT)
Received: from phl-imap-09 ([10.202.2.99]) by phl-compute-09.internal (MEProxy); Wed, 03 Jun 2026 13:09:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1780506541; x=1780592941; bh=BY7OKcGVcb MPPx4qNDghrvsbNjW6dn5vQZaNfbb3ztA=; b=bGO05eJzRN8TA1PVhWhwxgA+cs L0O0QhHiuiBiIOUj9R0qeRn5SlRj3uMb5uChoigPnIz84ElYnU60xCefUxF++3Ag N2n1uIXHyiuNW6FaDne0KjOkBIkgRewnuISmFebqlqtHJQnG2ZiX0c7CHON3eOvh /JaioPMBTDs8yTFmjx96yaRALScU6Eo8LgvgGzBju2GqO4RpsqJb5iAPqz5tIrou ed1mj/MtTMK2+lp2yzcrAwVp6ueH07zXEU5yC0ANRu9IMVYUnb6FLH/KlmisQhoK jY0PI8ZVQiFPfpTDFRqj77SeUn/Q4PNBZodRQf8AbsQT0rbqY9zGH3oK3HQg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1780506541; x=1780592941; bh=BY7OKcGVcbMPPx4qNDghrvsbNjW6dn5vQZa Nfbb3ztA=; b=H4ZlmgNf7UrItCLAtiSy+pullUhFAIvfA6cb9OAsmecVbbXQ7/4 YpiF8iE/3VmZqOFdyCsA8Jy/nuIWrseTm4GZ6H3czzqRrm5XOEnR1sJ49L8nJhx0 xKudOtOkvueDaEfCxC2EnlByvA3Tfuzlo2jP2FA8uGh6PkDdc+GG7p6voA9P0tR6 rDzvcNMu8Yz+0Yl44EvIuDMdH8N7t0i1tOuOfwKriH585LA7opjqIsjK5UaVnSBj q9OmRkt4i5XGzo63iIdiABSd/KQ4PuHEuUQLBK3LiorwxnmzxSheN/9fpNazPryT RiS86qtBfqBlSQJ5l99U4tn7KknHM4FOKww==
X-ME-Sender: <xms:rV8gam8tesQhCpd8kKTH0azyYnKSGzQ048QbcokMt-xK_6QO4YL6jg> <xme:rV8gahjmuWzI131fi_OvZyisDrQFu3V_cdUQ-D8c2k78QbIYTNqkyQ6uOPZZ7Gp1v KEhp5KdfzYHKJmfXIgzna8mhvvzup-jkGwgAef0x7eUan5hnCkp>
X-ME-Proxy-Cause: dmFkZTEJKewVYtbYjNOLcRkpkKUytBASFRAbxKSW4UEFoGcOqz069YOOHOyAKtI6qT+tYM UvcIlrf6RuoGk5rk2RGvcDt1CKqxL20FCxjqyq7VKjM0lQ9fsT5tathrZpRCXAJOSg7EX7 gZqeM16daPn+cBg8dMOByvI4qa0gLT0Cnsxx4UjVSbuoBElcESEYMmBnbjPyWjUtTPp1dg PXLvmltOxuj+dftXgg4kicAdOo7LeNstPcd4hggcnl0c5sjUcVFFuWfngONwXVrALgqieL 6yPjR++o/LC2wDZVq7oGZ7fCv1bcgiarwJ+AWm0+6WCIiPqVNQgG0j++DW9ynWZ+FeHufF jaVonGlxFVdK0gTQrlSDfRq+99SlRqbA4uzOyS8TRYruP6b3BMcR4V5eyFcEWX7ymHKMlD hAiiov4sEI7aKRoDzGfQoXGXR1hWqU/Kxsxm/mtx/Vb5SFiGreId2BcL1BYnK+4YP828Ai han/Wk/nxWwEk9II8KOUEjJozL2MI2GijP5EwZ62644DK4r28bCMkg4yZqbBVSGcE1Y99F iqonrNopSahJAdtGQsxY9sBv/nG/z/udEjVRsEEDz2gxhEc+sl8Sx1/R2fRePjK5kUTNsv xTM5BmPVhS/Nh/hBrUp7F8LjIkl+XdsNNXl1QmFtbczn/PNa/V5oWDvktHBg
X-ME-Proxy: <xmx:rV8gag5zy1KV0Kd8evw_URFAXNTsI6uN1d9nvJrGH6dZglKKrbG_eA> <xmx:rV8gapoUsSchdCl6D0bvvN1uN8u1d7qYqlJaSTL07JSqaxpG72TE4Q> <xmx:rV8gaiidQfOc54MlZ544iVvmwYtaKuLJlYxbllhTeDhjnnPeSiUNDw> <xmx:rV8gajJbkyEHtqUMZdN23JEWdIyYJYduYN9tsTdqCUl32ZpO3od78Q> <xmx:rV8gaki-SLyv9GFi-U9ZEIZHj-rxn1GrCtNaneCY1Bt0H88kYbJaMNYl>
Feedback-ID: i2e91459c:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id EDAA43020096; Wed, 3 Jun 2026 13:09:00 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: AfKUvwr66x4F
Date: Wed, 03 Jun 2026 19:08:40 +0200
From: Filippo Valsorda <filippo@ml.filippo.io>
To: "D. J. Bernstein" <djb@cr.yp.to>
Message-Id: <974c9e67-1166-47ad-9b0b-9e940527e313@app.fastmail.com>
In-Reply-To: <20260603125026.2336434.qmail@cr.yp.to>
References: <20260603125026.2336434.qmail@cr.yp.to>
Content-Type: multipart/alternative; boundary="8147a9b57febf69c69105380a9dbad03c222a4af"
Message-ID-Hash: W3ES7RZKHVCXUVUKLS2UMO3PCJYVW3MH
X-Message-ID-Hash: W3ES7RZKHVCXUVUKLS2UMO3PCJYVW3MH
X-MailFrom: filippo@ml.filippo.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: [TLS] Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/J_sKKvJtGyEiQDoETvoU-t87XqQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

2026-06-03 14:50 GMT+02:00 D. J. Bernstein <djb@cr.yp.to>:
> Filippo Valsorda writes:
> > all easy to find
> 
> Sorry, I still don't understand what you meant in claiming that there
> will be "exceedingly few bugs" in ML-DSA software. How many bugs and how
> many severe vulnerabilities are you estimating? Where are you getting
> these numbers from?
> 
> Since your posting said that "a single broken key per month can be
> catastrophic" and that a disaster chance above 1% is unacceptable since
> "you are betting with your users' lives", I _think_ you're claiming that
> there's a >99% chance that there are zero severe vulnerabilities in the
> entire ML-DSA software ecosystem. But I'd appreciate a clear statement
> so that I'm sure I'm not misunderstanding something.

You are characteristically cherry-picking quotes from other venues, drawing false comparisons, and then demanding explanations. In a better-moderated forum, this behavior would be sanctioned as disruptive.

In particular, you are taking my statement that there is now a > 1% chance of Ed25519/ECDSA/RSA being broken by a QC before 2030, and demanding I defend a different statement about ML-DSA I did not make. If you're confused about that, it's not my responsibility. I do stand by my assessment that the risk of ML-DSA forgeries (due to bugs or cryptanalysis) is smaller than that of Ed25519/ECDSA/RSA forgeries (due to bugs or quantum computers) or composites forgeries (due to bugs or due to their rollout being slower than quantum computers).

You are also not engaging with the parts of the conversation that don't suit your narrative, so this is not helping anyone, and this will be my last reply. I do have one final question: are you going to publish a retraction of your statements on the applicability and availability of Project Wycheproof test vectors, now that they were shown to be factually inaccurate?

v2.46.0 | Report a Bug | By Email | System Status