I'd maybe add "in ClientHello" and "in CertificateRequest" in the first two points just so it's clearer. Perhaps this phrasing to deal with the "1.3 as well as 1.2" goofiness:
> Clients that only offer TLS 1.2 or earlier MUST NOT offer these code points in the ClientHello. Clients that offer TLS 1.3 MAY offer these schemes, even if the same ClientHello also offers TLS 1.2. I notice you didn't include anything about client certificates, but I guess that's implicit from the server CertificateRequest prohibition, in a way that is not (as obviously) implicit in the other direction? Interestingly, it *can* actually be implicit in all directions. No TLS 1.2 cipher suites or TLS 1.2 ClientCertificateTypes correspond to ML-DSA. That alone is enough to make these code points impossible in TLS 1.2. Since it is actually all implicit, just not as obvious, perhaps: > The schemes defined in this document are not defined for use in TLS 1.2 [RFC5246] or earlier versions. Furthermore, no TLS 1.2 cipher suites or ClientCertificateType values support ML-DSA. This means: > > * Clients [...bullet points here...] It is a pity we require so many words to say what will be true of basically every algorithm we define going forward: these algorithms are only defined for use with TLS 1.3 or later. But it's also true that people constantly get confused by this. Maybe this document can serve as cookie-cutter example text going forward. David On Mon, Mar 16, 2026 at 11:54 AM Eric Rescorla <[email protected]> wrote: > On Sun, Mar 15, 2026 at 8:51 PM Eric Rescorla <[email protected]> wrote: > >> Per the discussion in today's meeting. >> >> ISTM that the main intent is to entirely preclude the use of PQ with >> TLS 1.2. In that case, I think we should probably say: >> >> - Clients MUST NOT advertise these code points unless they >> are advertising TLS 1.2 as well as TLS 1.3. >> > > This should say TLS 1.3 as well as TLS 1.2, or, as Rich says > "unless they are advertising TLS 1.3" > >> >> - Servers MUST NOT advertise these code points unless they >> have negotiated TLS 1.3 or above. >> >> - If TLS 1.2 is negotiated, servers MUST NOT send >> certificates which are signed by or contain keys using >> these algorithms. >> >> -Ekr >> >> _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
