[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

Sean Turner <sean@sn3rd.com> Sun, 28 June 2026 19:45 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C96981095A6B9 for <tls@mail2.ietf.org>; Sun, 28 Jun 2026 12:45:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782675945; bh=RffbhtKIx9GbmAE3TBgVdx29FrYarkZcMmNMFSUCQYQ=; h=From:Subject:Date:References:To:In-Reply-To; b=dnk+kqWz3GbtsEAaUBnZBzGiF5I6HiDhwvsQHfCV3rp3sv88HJNnndd15d8VEZyom gfPLtetZyNVdrroRLSnq6CUsuoUPS9JC1JqPtFASuDryQFq129+oNYmjoi2eeBFiLF CcyD7npqRUVCAaxXB5+n1ED9EzoQ8LVatx0zWybw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCgufYv_rgz8 for <tls@mail2.ietf.org>; Sun, 28 Jun 2026 12:45:44 -0700 (PDT)
Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 27CB91095A63B for <tls@ietf.org>; Sun, 28 Jun 2026 12:45:14 -0700 (PDT)
Received: by mail-qt1-x842.google.com with SMTP id d75a77b69052e-51a14efe25fso30054961cf.1 for <tls@ietf.org>; Sun, 28 Jun 2026 12:45:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1782675913; x=1783280713; darn=ietf.org; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :from:to:cc:subject:date:message-id:reply-to; bh=14lDnoplqcJbx/k1N6b00o4GLE+LWNYFMNVA7F6MtBM=; b=hsGy/QcEmynZwrL0W+waaa4lvFwaGSJvlboRg+C1P3qeyXwA9yVE7XIQH9EnAaCgJv OCRqbtMLoM2U6IbhnRamWUEtlM1M3FwAnOyKukbohsTchXizM+J4nl6y7ZAz+RZdTPw9 T9ylIkzY5gTtuD8/cJiqsl7Lhu8j8Lxp/PjOg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782675913; x=1783280713; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=14lDnoplqcJbx/k1N6b00o4GLE+LWNYFMNVA7F6MtBM=; b=fMA/rlhGS3gm0cRnyIbl8orx9ozEKRsWjJmKG3Nwuddon7CwskDn4JdZJD1ttORmAM wI2dwFcBVSxx3E5938bIAUpDDw0RXOA9oaHio2W/WAO0suvEeZx4yP7XZVgir/lxAWlC zDs5yQc6o60Th0F7LhO+kfIBWS8fZunQTN36/ZbCcjkFW+Uyy71pRtAgZWCNaSP2pvEA tX7BCrPMJHK/F4r1ZJR7+DaNrGREGEr8ONRy8AEv7OVOIo+EaUfPpf85RGiqOQRiLase Kz1TOaRTmJBYCE3hRZkB+lQtu8+N3owKxGp6sru569N1pJZj6MfjDOW4gjEHFi6wKhON xPfg==
X-Gm-Message-State: AOJu0Yxny415ZRnOlwh4jf8mVDSWpkOF/+jIDZzrYt10sW1zRDnS6B8K ca1avbT/79P+tY0Ek7u9Jol3Q/uH/ildWdr6Zp5AuU6hwyYBbOnoaGHp+Ex6aZU/Osh8TBl0ejD qQ2bBqFhzCGUC
X-Gm-Gg: AfdE7ckQssLWEeWJQb48s4foETNo4qTyhhYgB/0utcUPk1k+SivIikCZaeDlpXlvN1h TbRwWxL6hWsmSuL9epUssMRbSXu75bgBBKzrylYvulOVyS/9hnxQSbFPNItKhBBh3/72QX0y5GB wydMbSfq8sT1aQLnHcs5q5Q+iDwgJJOF281J7+bAUs5OLOBPdzstYkdwowu/3hUItGswvuqefVK DCJCHeVJYZdy4fNA/tev5VcXYmd7/c8oejFAHAaJvHYHnwomIEgQNDrPu/cty42lub43lJUSUj9 op9va6BIYyisyJ71BknhloPIpW0cFgYzs/Yu2xJZOiPBA8VaFudW35eYsuCV+qpQEGU+jIZPrpG ZCgTvbIFqoVDcHpt9VnpGnaPDIx+bUog0C0U5o8JFpknw01vKmCEJ4ilYzys0nBo/Wl8txWqP55 7NA+4ZLvTbTBGAkwnU8eFTUVOGMWrUwIw4LA4p/Q==
X-Received: by 2002:a05:622a:410a:b0:519:51af:febd with SMTP id d75a77b69052e-51a72a56410mr211560421cf.46.1782675913575; Sun, 28 Jun 2026 12:45:13 -0700 (PDT)
Received: from smtpclient.apple ([2600:4040:254d:3700:9988:b82e:9fa9:4b14]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-51a51a9a3a4sm149137991cf.17.2026.06.28.12.45.12 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 Jun 2026 12:45:12 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6F16BBA9-FF49-403A-9614-A32700241A41"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.600.51.1.1\))
Date: Sun, 28 Jun 2026 15:44:52 -0400
References: <20260628174613.4160324.qmail@cr.yp.to> <df7e9b2f-8048-41b9-832d-3c1c6bc69506@tu-dresden.de>
To: TLS List <tls@ietf.org>
In-Reply-To: <df7e9b2f-8048-41b9-832d-3c1c6bc69506@tu-dresden.de>
Message-Id: <ECF71D53-F28B-41B5-96FA-A800ADB0C729@sn3rd.com>
X-Mailer: Apple Mail (2.3864.600.51.1.1)
Message-ID-Hash: QDDMM7EZQECZBP7HQZ5KX23HVAWONLCW
X-Message-ID-Hash: QDDMM7EZQECZBP7HQZ5KX23HVAWONLCW
X-MailFrom: sean@sn3rd.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7l8RfNfdCABM0HYpGrbx-Eja5p0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

AGAIN!!!!

Let’s stick to the consensus call, "I support" or do "I do not support" as was requested in the email that began this thread.

I will, again, repeat the reminder, about conduct:

Conduct Reminder: Given the heated nature of previous discussions on this topic, participants are strongly reminded to adhere to the IETF Code of Conduct (BCP 54) and the TLS WG's Mail List Procedures. Keep feedback professional, technical, and focused on the document's text.

For the TLS Chairs,
spt

> On Jun 28, 2026, at 15:42, Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> wrote:
> 
> Hi D. J. Bernstein,
> 
> I'd be happy if you could show me a concrete attack on the integration of ML-KEM in TLS that I can double-check in ProVerif, rather than referring to older attacks or complaining about absence of details in ProVerif. I'll try my best to put in all the details in ProVerif that you want. Please keep your email response focused on exactly that rather than what chairs or others did. Thank you!
> 
> If you don't show me a concrete attack, I'll not respond because there is no actionable gap for us to model since the combination of symbolic and computational proof provides sufficient coverage.
> 
> 
> 
> 
> On 28.06.26 19:46, D. J. Bernstein wrote:
>> Muhammad Usama Sardar writes:
>>> D. J. Bernstein wrote:
>>>> The TLS WG chairs write:
>>>>> Significant developments have occurred both within this document and
>>>>> in the broader TLS ecosystem to address the concerns raised in the
>>>>> last WGLC.
>>>> False.
>>> If you believe Nadim's formal analysis in ProVerif is not a significant
>>> development
>> My comments have nothing to do with the judgment call of what qualifies
>> as "significant".
> Then, I kindly ask you not to use the words like "sideshow" for someone's substantial technical concern. As John says, key reuse is a fundamental security concern.
>>> John is surely not the only one. Key reuse was one of my *major*
>>> concerns.
>> Sorry if I missed some previous text (but then why don't you provide a
>> quote?).
> Because I thought WG participants might trust me that I am not lying. 
> 
> Anyway, here you go from Thu, 27 Nov 2025 11:18:11 -0800 (PST) according to archives [0]:
> 
> I have no opinion from PQ perspective but from 
> traditional crypto perspective, I agree with your concern on key reuse. 
> Intuitively, I would assume the same problems would hold in pure PQ but 
> there may be subtleties.
> 
> Anything else I can do for you to assure you that John was not the only one objecting about key reuse? or to assure you that key reuse was a technical concern that I have had for quite a long time?
> 
> Back then, I was -- unfortunately -- not able to formally prove it and hence, I did not emphasize it a lot. Nevertheless, my belief was that it is a weakness that can be exploited together with other weaknesses. And I believe that is typically what happens in reality too. I think there is rarely a single weakness in real-world compromises. It's often a combination of weaknesses which lead to bigger vulnerabilities.
> 
>>> AFAIU, most of the 25 objecters
>>> from the last WGLC now seem to be satisfied with the formal proof. I've seen
>>> only 4-5 of those still objecting. All other objecters so far are new
>> Your numbers are not backed by URLs or other evidence; I have no idea
>> why you think excluding "new" objectors is justified;
> I'm not excluding any one at all. I'm just saying that based on the information we had from last WGLC objectors, we tried to get confirmation on all sides as far as we could: both symbolic and computational proofs.
> 
> We requested feedback on formal analysis or what else we can do to satisfy the needs of other objectors. Nobody showed up. And hence, WGLC is well-justified to understand what technical work needs to be done -- or alternatively whether spending any further WG energy on this draft is worth it.
> 
> Best,
> 
> -Usama
> 
> [0] https://mailarchive.ietf.org/arch/msg/tls/cGVWArNZO-N_r-5u5K8lBoVUitY/
> 
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org