IETF Logo Mail Archive

[Last-Call] Re: [TLS] Re: Re: Re: Re: Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

John Mattsson <john.mattsson@ericsson.com> Tue, 26 May 2026 07:34 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0C309F50348E; Tue, 26 May 2026 00:34:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779780868; bh=aI6kjARp46K6mzn10De5hkBoZPmMezTBehvlqQ6LcjU=; h=From:To:CC:Subject:Date; b=JjcS+vVTgMPOnYHinSgW1qw/iCl+NjXonp+rrSpE2w9gLZe7wiLkq+bQiWWY2Llt9 Z2qOSYyVj4DUTv3vhDG7fdwlgGdVzt+YN7dLpc8TH9b8BEe46dQbmS8A8XqM3DwBMb Yn3lo4czaoCzP6B55KD3G/txQVf863/awe05Oz0E=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nov7o7arRprq; Tue, 26 May 2026 00:34:27 -0700 (PDT)
Received: from GVXPR05CU001.outbound.protection.outlook.com (mail-swedencentralazon11013018.outbound.protection.outlook.com [52.101.83.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 51D71F503487; Tue, 26 May 2026 00:34:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=TjNKbTFC+KcG5kdQVq+YHJgOZ5AvQK3k1cGU/GcOcppiZ9l/wpdVgja2La79CrjYSOUtoI0VfbUS86TpgpBj60ii8TqoWAYK9uKm6UveFEpVEF9GVNbyo0tBDxmfQB3phNOYTGYA5MZw/33kmuoIOkvtqq5NQZCYIDs88u4tX7sLy04HD4Nv3krKfgoW8laKrdkiG7/KW/BnF6btX9LsrYEAhNxtDJmwW2zgEUCINjjsun5X4UFKm4erVfKtgLyvChuZ0vN7SAoNN3713OtISe630oT9IbfMjREuruwo5KW8mDcTjAk8v/P41ry46qwY2XZ4Z3ErY0hVpxayrKusVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aI6kjARp46K6mzn10De5hkBoZPmMezTBehvlqQ6LcjU=; b=FFyA9EOjPcmfvX5JnA7Esba6RXYRIYyQWftrXThQQZdNoWOhkWBcW4kUTr+5vOydgX7+ykKPDoHxVoyPYEULpBlbJ6qDlRp8i/ARFWjG1FU82UPElzVrPiXk9hMk3n07QPRVyRyh0QmCI6kvvyKddgfWX8jxrVe++f0PpcBw2IdKfVIqx/EjOIUpxErmOzbpGc5diuk4/vjhEWfERZsrOJmsau5ZJAeRNJZqFcCFuapCrxS0ulZLIAH9smcBNRsnTs04nzblYfU/DcrvHPNidGQ4xq5DMr66B+VKsntqP97FzXxJyphn+I5m60PmucXC4Nl9/ygSPFKngKOCjRH6dA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aI6kjARp46K6mzn10De5hkBoZPmMezTBehvlqQ6LcjU=; b=RISLhZ2+ho6TV3AiOCMk/ZTjvIYurecrXdIMPWvgzFZtRBM5wu4AsEEcdyGe1mCFHEgujxpm4atDuyeERWAFSH8mdcFm5MXd+rjFjDYi5h7HIRUjB6QcoUAO/q3JwnaP3WHYPOy3cKag16gjfS3VmNlpDs2VwSQbvZFM+Ln+U1paaETz9gS0PPPzfNSAfWwVhWnsGY8ppbiuMnOPXRb8Lbwt6nT3uuDVJZqz1aoGjZPD34QpCxrk86gX0INJjjLvEedT+6uvKNTWHudprORjKpGo78sZ41+tT5jKyhk7A2438fBtPM/v05lCLHd7EHZTFywnRE2/L6XVX7+D9Hyj4g==
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com (2603:10a6:20b:4f3::15) by AS1PR07MB9620.eurprd07.prod.outlook.com (2603:10a6:20b:472::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.11; Tue, 26 May 2026 07:34:17 +0000
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174]) by AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174%6]) with mapi id 15.21.0048.019; Tue, 26 May 2026 07:34:17 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Viktor Dukhovni <ietf-dane@dukhovni.org>
Thread-Topic: [TLS] Re: [Last-Call] Re: Re: Re: Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
Thread-Index: AQHc7NuK0BuVOVuRzkehzp+q1d29Mw==
Date: Tue, 26 May 2026 07:34:16 +0000
Message-ID: <AS4PR07MB882521D0DCAA6DCF979845C2890B2@AS4PR07MB8825.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS4PR07MB8825:EE_|AS1PR07MB9620:EE_
x-ms-office365-filtering-correlation-id: 5727f2fa-f08b-4564-45a9-08debaf9314f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700021|11063799006|6133799003|18002099003|56012099003|8096899003|13003099007;
x-microsoft-antispam-message-info: p2ZQiseExsjpW7DPD2HcESpuFa7buQ1UF7esoWGylt3KT5ww6gMbxA2WHZ44cR2HvQXPwmO5Rsl2zUQacM2PdDuKVZBsGkOMIWh9ZosUMVrFvXmiB9Fk/9EIP835QanXZk4AVrdZYglbdVvEMYxRn2m2aHAGgfd0ST3EUf3H5c3kiiqn4dZtRAuLGq7kme1N5E0nvvy0qRU9Svr840pAIBr7y35/jA4fgPheG3WzS298YwLqV3yDk10ld8Vu24tVN4abRXtd8zb/f1OMQUyznuF+sIRXkQsJ0UpRpjNnTwrZz1QXxSpPP9GUd5Tc6Vc3p5mMK2Z+BJ1Hdifc7QmahZaqvpnBfoPGLEcon2NJ5SYKIJ2Mk6OksIy+fovOrSfiF1qk6XVMBsOImcrdYtLV7ikSyT62eN3au61KVngiaSD/sRU8ZVQFPJ/T9eVROEJxc0QMO0cK7Cc9QwUXlvoXs4P6c5+CLvezTeTkVUtnpvYJwoztNJ3RfKNewR82ov9Pf3nTiiUb5C6nr1nS2xjRqEiaqoQt7tLjLga8e4Ak6EdQdmojphBOy3EGIdtCAopu/g83Ew62/jt4lPyt5gLIt6h3rDzG8KfWP3QVRJtf7kEP/LgmPjcFnxjd1Qz9Cof7CuFkO1UEI3w/erhbnuWg+gQWLaH8ifUMULa8vFlgNZAA2Pd/2QZ2aEZbF+p1X6XzGKciOfJjq06Hz/jdpXzXLHwdIPbPwV2zObgCtZPl2Ep3uNkDsra80J0aECT+qGDo
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR07MB8825.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700021)(11063799006)(6133799003)(18002099003)(56012099003)(8096899003)(13003099007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: P+jSJYHFgl48/Jr6K4wJQbbetDeuJ3yJA+BAAd1KLBaexflmS/ZkWwAPRNBdxZZ3YnJ4roU49dWJ993PlbaNrHt+f3uCAI28cUz8/zVELDuOHVzt4SEmDx8cC/Sulu3QOwsqIKL9pwrEojIzj/STnXAbiTvXGVegyw9m4W3/An1j2Zyqs9JvEoqpVH6gEDWJ0SENz/oWFg57y25+lgxPbLa6IpWwBZtsxKFrxk8jk08w/qAvG4Xs6WfS++416zdr7PFZl1oPJsbjjDC2alC+wv9GHWeLPLihUzbd0vZLmhO/YZQwOJe8CTH8wRgZIelarcpa8tp751qXgzSl1Iq1nxxOFaQaCGgS0+dvUQpT2zTpUTy34kd7EnVlFyKVNA6wYeZE9aD3wTzIcPgK98Yn+O2Q3mWHkOOR9sL8lbO3YxGhcol6ZQEYE5dOqVnsbakBCGkLW3CNwU4bilaBudjS74FHQ4phVOqwNIjiam065ozoZMUiyjKDwtoHWH3rmZzc0BR1VjuNXsadqw72JzkvRj1zJC2Nqx5crO6U3V2a18zzMGOoRJCl8j6FEKcM/JxxXQjRPbDZoo6GvAOhKfmHnLbgqG5tTLcax+OoBh/uHVheOKTzPf1bksByKoJ+nKqampzXnvfQZCBlhMqkJ1QH4DXdkHeei52EI87Zw1aUiNRbVU18IwRTRX6qyx9tVPDAxnIIvih9qS5ra7hhYPQbdjnCgs1Xb9MgRS22hP20eEpkgRfYmoLOzgWD1xyiCfU4fNdTEr9MeBpT8t2rTU8JNqo5opJlCdfc1Gja7QdjSZbq8Uf0gK4oLq69FqA5KKMiZ3569j8x1ZbB8xMOFxJjfpfRTiETfu+ghtzIL4DnWfhSaxqa7uKQ00Tab8GGVsHmUJSgjU8RE3aXc4XaCOkl9vFHX6VAzDl4BXnBKZFCYfRKeTj09Yd4OnzJ85UP0RW00prYizQwlTl0dQKyBabm0Us+L4mVebHZUtkVs6Tt1dFSao7xIcQik5OZz4wNSoEchg/uNSiB4CLY929EIkwy6Jl9KQ2PnSj1ya2g+mYExlomNiIUHoGwvGHbAZOyFkvgpAP9cSnk52KujSvNMqBoTHpLP2v7ao+8XlNc2E0aYhqWJ/zZAFhJEKl1F0rwDFhMjQhsjh1EMx9Jv2VX5vUkADjNfXzfEIpH/adZnd66eYLNorMb9sFgiN97xYk8EzqI8I9/v5pdbi9YLNEoN89SdM+iyjLTKGWTGYZ8E8M9KzeaKs8oDn/flPxhQwTZwW2l+bGxGUqlT2TZfQKhbbk3Ap0xINPk51nvcQWf6aZ6edJyZAet3klo4Qlc45Tgy55ZKs2AL6p2IKKj+HFfoTYzVUOOIsYUHCgprxCZx1Or1nM5URk9iXzx56TytIpN4wRFwYIr2SxSLeiDZVj2QWHxiMSzccAxlxF7RZdE1shkCV/b7ANjgtt2k8t0O212PJzK0AML2a48TpIeIEyKR9THfZDFB+pFcmfaMytssl/vELlEjUea8odWzYAS1tcLb64VCJCxj8PQTC4fM07vf/e5nyiqJYUkH+qWylVceohXmb+MH0yrBzwobNnpzaMpXBxELxSHDODJ6yRuwCAJPPSgtjXGqDzcUGZJxYTor2Rh++COXJL9hZLR04c9dspZ0/iTRQTacOjqeV0xlZK3ng56mCKNSGR/lqIosjfexxszW9kQibJFkM5WgLut8BN+2H+gSJ3W9OQm6po9aQDNR/MIB96SqtPafV9PQDEM/GZ7m1Q=
Content-Type: multipart/alternative; boundary="_000_AS4PR07MB882521D0DCAA6DCF979845C2890B2AS4PR07MB8825eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4PR07MB8825.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5727f2fa-f08b-4564-45a9-08debaf9314f
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2026 07:34:16.9960 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0+J81cfzHYxkr//BiO7HWEWC/bLoWTmKgVW+ExAHBnNgsqHxOuUy4Aub04+9XquHXo1/mI73TN/gWlnXoYQKwYlICgDyiYOXZFyC6o6ClYU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR07MB9620
Message-ID-Hash: 3O4CUY445HB2VDSW72VGHKJYSFGKEQ23
X-Message-ID-Hash: 3O4CUY445HB2VDSW72VGHKJYSFGKEQ23
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: [TLS] Re: Re: Re: Re: Re: Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/MQvTqpKg4mRD0yeZpGDowkU0Z-I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

Brian E Carpenter wrote:
>Assuming that means "breaking two algorithms is always harder than
>breaking one algorithm", that is very hard to argue against, from
>my point of view as a crypto ignoramus.

This is, in fact, very easy to argue against. Hybrid schemes can, and demonstrably have, failed in at least two ways:

1. The composition fails to preserve the security properties of its individual components.

2. Implementation bugs prevent the system from achieving the intended hybrid security guarantees.

Poorly designed hybrids can actually be easier to attack than any of their constituent components individually. One example is [1], which inherits the malleability weakness of ECDSA, destroys the beyond-unforgeability (BUFF) properties provided by ML-DSA, and introduces an additional independent malleability weakness. As a result, attacking [1] may be easier than attacking either component on its own.

We have identified major implementation flaws in two independent hybrid signature solutions that suppliers attempted to sell to us. In both cases, the effective security was reduced to that of the weakest component.

For regulatory reasons, it is essential that the traditional component can be removed in the future. Composite hybrids cannot be used for long-term trust anchors, as they create a significant legal and compliance risk.

Brian E Carpenter wrote:
>It doesn't follow from that we shouldn't document how to apply
>PQ-only algorithms, as long as we *also* document and cite
>this risk analysis.

Security considerations for hybrids would be good, but I don't think they should be in a single algorithms document, and documenting the risks with hybrids is equally if not more important, as it has been mostly overlooked.

[1] https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-sigs

Cheers,
John Preuß Mattsson

v2.46.0 | Report a Bug | By Email | System Status