All, I am opposed to publishing draft-ietf-tls-mldsa-03 as Informational RFC. I have these concerns:
1) Non-hybrid PQ signature schemes risk weaken the security of
implementations, where a hybrid ECC+PQ provides a more appropriate
risk/cost ratio, and
3) the security considerations does not discuss the security concerns
with use of ML-DSA in non-hybrid mode, and
3) ML-DSA and lattice crypto in general is new in the IETF/TLS space,
and the security considerations does not discuss the risks with
the particular algorithm or the general field of lattice crypto.
Please (re-)consider if an IANA registration would be sufficient.
The document could be improved by extending the "Security
Considerations" section with a discussion about the risks associated
with non-hybrids and lattice crypto.
The pointers to FIPS204 section 3.4+3.6 does not provide a security
consideration discussion with sufficient information.
The IETF possibly via CFRG could provide security considerations for
ML-DSA generally, maybe with the help of the Crypto Review Panel.
Please review compatibility of the Security Considerations section with
BCP72: https://datatracker.ietf.org/doc/html/rfc3552
/Simon
The IESG <[email protected]> writes:
> The IESG has received a request from the Transport Layer Security WG (tls) to
> consider the following document: - 'Use of ML-DSA in TLS 1.3'
> <draft-ietf-tls-mldsa-03.txt> as Informational RFC
>
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> [email protected] mailing lists by 2026-06-01. Exceptionally, comments may
> be sent to [email protected] instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.
>
> Abstract
>
>
> This memo specifies how the post-quantum signature scheme ML-DSA
> (FIPS 204) is used for authentication in TLS 1.3.
>
>
>
>
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-tls-mldsa/
>
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
>
>
>
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
