IETF Logo Mail Archive

[Last-Call] Re: [TLS] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

Tanja Lange <tanja@hyperelliptic.org> Tue, 02 June 2026 12:04 UTC

Return-Path: <tanja@hyperelliptic.org>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D2569F92DABF for <last-call@mail2.ietf.org>; Tue, 2 Jun 2026 05:04:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780401852; bh=nniEsw6lSLe8off6YbIUz+QfpuZ504RheFfQJsHTgIE=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=sVKTe6yKZkL/BbvvyNwGrTlNpDP+K4d9HsNidX+kCeNs3XfPWZZSY//VEdxsHCapx 3ztONOcXk0Tx2T3I69sfAzW8GWILO8pNx9E3YRPg3afqbvthZAqZIh7iIdWJFPzUUG LYbP8bw7BAGCzMDP6uUDSk+qGflymgUKZKqhumto=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BHPk6uwrnksa for <last-call@mail2.ietf.org>; Tue, 2 Jun 2026 05:04:11 -0700 (PDT)
Received: from calvin.mcs-cc.tuehosted.nl (calvin.mcs-cc.tuehosted.nl [192.87.90.60]) by mail2.ietf.org (Postfix) with SMTP id C11C3F92DAA4 for <last-call@ietf.org>; Tue, 2 Jun 2026 05:04:10 -0700 (PDT)
Received: (qmail 14920 invoked from network); 2 Jun 2026 12:04:03 -0000
Received: from hyperelliptic.org (192.87.90.62) by calvin.mcs-cc.tuehosted.nl with SMTP; 2 Jun 2026 12:04:03 -0000
Received: (qmail 283060 invoked by uid 1004); 2 Jun 2026 12:04:02 -0000
Date: Tue, 02 Jun 2026 14:04:02 +0200
From: Tanja Lange <tanja@hyperelliptic.org>
To: last-call@ietf.org
Message-ID: <ah7GsvvawT5aU4wi@ein.win.tue.nl>
References: <177911881651.554519.6124006444783847072@dt-datatracker-7688897f84-l74h4>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <177911881651.554519.6124006444783847072@dt-datatracker-7688897f84-l74h4>
Message-ID-Hash: QRED3LNKODKPZ4VGY4PRM5NELU65N2IF
X-Message-ID-Hash: QRED3LNKODKPZ4VGY4PRM5NELU65N2IF
X-MailFrom: tanja@hyperelliptic.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF-Announce <ietf-announce@ietf.org>, draft-ietf-tls-mldsa@ietf.org, tls-chairs@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: [TLS] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/-PqSc2OdTxX2Zxmm6ZWweJIffwY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

Dear chairs, dear all,
Already in the previour round I expressed a strong concern on the unprotected
use of ML-DSA. That concern has not change and is substantive. I also do not
see how it has been taken into account or has been addressed  as the same text
is now in last call.

Here is what I had written before:

"
I do not think that the TLS WG should publish a non-hybrid signature proposal
at this point. We should instead put support and effort behind hybrid drafts.
 
I agree that these systems should not be recommended at this point, which is in
line with the IANA considerations, however I'm concerned that the mere
existence of an RFC will be seen as an endorsement by the IETF and lead to
deployment of ML-DSA without extra ECC protection, which is a security issue.
 
I thus oppose publication of draft-ietf-tls-mldsa.
"

All the best
	Tanja


On Mon, May 18, 2026 at 08:40:16AM -0700, The IESG wrote:
> 
> The IESG has received a request from the Transport Layer Security WG (tls) to
> consider the following document: - 'Use of ML-DSA in TLS 1.3'
>   <draft-ietf-tls-mldsa-03.txt> as Informational RFC
> 
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org mailing lists by 2026-06-01. Exceptionally, comments may
> be sent to iesg@ietf.org instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.
> 
> Abstract
> 
> 
>    This memo specifies how the post-quantum signature scheme ML-DSA
>    (FIPS 204) is used for authentication in TLS 1.3.
> 
> 
> 
> 
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-tls-mldsa/
> 
> 
> 
> No IPR declarations have been submitted directly on this I-D.
> 
> 
> 
> 
> 
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status