On Thu, Nov 27, 2025 at 07:43:57PM +0000, Stephen Farrell wrote:
> Hi John,
>
> On 27/11/2025 16:02, John Mattsson wrote:
> > - ML-KEM-512 is the only adopted quantum-resistant algorithm that
> > can be used to bypass legacy middle boxes.
>
> Do you know if anyone's written up a description of that?
Though some SMTP servers (often noticeably slower to upgrade than the
Web), problems with multi-TCP-segment ML-KEM client hellos have been
reported by senders to a few receiving domains, such reports are fairly
rare. One notable problem site (at the time "boeing.com", was promptly
remediated).
I am inclined to be sceptical of the claim that middleboxes are a
significant barrier to adoption of MLKEM768. If necessary clients can
include X25519MLKEM768 near the front of their supported groups list,
but without sending a corresponding predicted keyshare, and then at
the cost of an HRR negotiate its use with just the servers that support
and prefer it. This is the approach taken in the default settings of
the Postfix SMTP client, where admittedly an accasionaly extra
round-trip is not a concern, and in any case server support for PQ key
exchange will be fairly rare for a while.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
