IETF Logo Mail Archive

[Last-Call] Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

Simon Josefsson <simon@josefsson.org> Mon, 18 May 2026 17:49 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: last-call@mail2.ietf.org
Delivered-To: last-call@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1902DF0417F3; Mon, 18 May 2026 10:49:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779126553; bh=Q9DdTLFnQ1aOhaQjv7tG0LFOi4lfnlTZzRREsf23xpg=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=j+MKiqAeNQEpTtLv8bXjRX4obmKobcZrznl5lvo67VSoQJXoQgSs9qrIIvE6M5Nkh gLOM8ZVkrWuK9VHHEEGgCvj2Xl8YDjykcyHbcEJyL4m7dEy3XzKhLkf3D1qtZXexc8 RbfHTV0TpgmdeCFWRG3CL2qV5CK8QWXxlbXgYoMQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="+5ND94iq"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="YPp59LJe"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyYFmzyia3bG; Mon, 18 May 2026 10:49:11 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5EE59F0417EA; Mon, 18 May 2026 10:49:11 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=+4S2Q9RsnZLUtTUZnsderRWoCK1nVFo0Lo6kpmTvV1Q=; t=1779126547; x=1780336147; b=+5ND94iqzXw3/j2HOGFSR7HKZOOv3XU8bZgWXgBEADKnxxUcKE56RZaqH388aINQDzMR7VfA5IC wG+HF6sNjBw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=+4S2Q9RsnZLUtTUZnsderRWoCK1nVFo0Lo6kpmTvV1Q=; t=1779126547; x=1780336147; b=YPp59LJeIlH0m29Q8KfQfQ1sFIkb6J10CNaVbQWH4hkgMjgRMVQf5GIFEm4tkJ4i2QjnGoy2ANi J1q/CYAiZPFgCkXsi4Zx0GqQYkkNXXiDBfaOSwpQpzjLgAM8N7waQbXCL5mumyEzPte4mnxIapmsc f2O2AZYQpKLpH8gObHg4FTlP0f+ssTjD+U4Vb1Sixq1TApZFtmC6ri9hr67u39JR/1RTt2o6ZIhJ8 eBW6krvxDGppDC8G0QwGG0Cumb+CzsQb5FPbvTs2g2NdFB69GoIPhTjiyMqzQObVAG3Z5eAmDP3gH 7iiDkGpMP7kVvp9N5IjeATRDzmnXtwd+g1aAcU4LW+g1NLgDQpsbmOu8YSyhD3gwVdAq2Xtyis2Kh eWTFUrigoFE2loO9rZkmfKRsWZJOAQQEdUsmtRhoHiNJhwZgWYt/VtdJ+G1ujFyKJ9xbdLX9a;
Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:47020 helo=frallan) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1wP25L-004f0v-N3; Mon, 18 May 2026 17:48:59 +0000
From: Simon Josefsson <simon@josefsson.org>
To: The IESG <iesg-secretary@ietf.org>
In-Reply-To: <177911881651.554519.6124006444783847072@dt-datatracker-7688897f84-l74h4> (The IESG's message of "Mon, 18 May 2026 08:40:16 -0700")
References: <177911881651.554519.6124006444783847072@dt-datatracker-7688897f84-l74h4>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:260518:draft-ietf-tls-mldsa@ietf.org::iASj22BNWQjEsIUp:9mOb
X-Hashcash: 1:23:260518:tls-chairs@ietf.org::fSF2Xglcq8+ItvPS:X8zc
X-Hashcash: 1:23:260518:iesg-secretary@ietf.org::DNpbDO75fj+T7Hs6:CyLH
X-Hashcash: 1:23:260518:last-call@ietf.org::jff5ckgUlgZknyca:YlDK
X-Hashcash: 1:23:260518:ietf-announce@ietf.org::ErwvPlbi5+qIMD8b:SFj1
X-Hashcash: 1:23:260518:tls@ietf.org::AmLIh6B3rSbbiRIO:0F4fM
Date: Mon, 18 May 2026 19:50:06 +0200
Message-ID: <87o6icsj3l.fsf@josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Message-ID-Hash: WCBCPEH3IL5NKCCBMQXIWO6SKSEBNEBW
X-Message-ID-Hash: WCBCPEH3IL5NKCCBMQXIWO6SKSEBNEBW
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: last-call@ietf.org, draft-ietf-tls-mldsa@ietf.org, tls-chairs@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Last-Call] Re: Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/bVkYVj7zwhmEQx-c5h6kIa7gSQI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>

All,

I am opposed to publishing draft-ietf-tls-mldsa-03 as Informational RFC.
I have these concerns:

   1) Non-hybrid PQ signature schemes risk weaken the security of
      implementations, where a hybrid ECC+PQ provides a more appropriate
      risk/cost ratio, and

   3) the security considerations does not discuss the security concerns
      with use of ML-DSA in non-hybrid mode, and

   3) ML-DSA and lattice crypto in general is new in the IETF/TLS space,
      and the security considerations does not discuss the risks with
      the particular algorithm or the general field of lattice crypto.

Please (re-)consider if an IANA registration would be sufficient.

The document could be improved by extending the "Security
Considerations" section with a discussion about the risks associated
with non-hybrids and lattice crypto.

The pointers to FIPS204 section 3.4+3.6 does not provide a security
consideration discussion with sufficient information.

The IETF possibly via CFRG could provide security considerations for
ML-DSA generally, maybe with the help of the Crypto Review Panel.

Please review compatibility of the Security Considerations section with
BCP72: https://datatracker.ietf.org/doc/html/rfc3552

/Simon

The IESG <iesg-secretary@ietf.org> writes:

> The IESG has received a request from the Transport Layer Security WG (tls) to
> consider the following document: - 'Use of ML-DSA in TLS 1.3'
>   <draft-ietf-tls-mldsa-03.txt> as Informational RFC
>
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org mailing lists by 2026-06-01. Exceptionally, comments may
> be sent to iesg@ietf.org instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.
>
> Abstract
>
>
>    This memo specifies how the post-quantum signature scheme ML-DSA
>    (FIPS 204) is used for authentication in TLS 1.3.
>
>
>
>
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-tls-mldsa/
>
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
>
>
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status