Hi all,TL;DR: I have proposed 2 small PRs [0,1]. If these PRs are merged and a quick FATT review [2] is done, I think I will no longer be opposed to the draft. I would be fine with some wordsmithing which does not change the meaning substantially.
FWIW, I think we need to separate two different things here: 1. Preference of hybrids: I believe there is already WG consensus on this via "recommended" field: See PR [0]. 2. Formal proof: See John's 4 points below and PR [1]
1. KEM-based key exchange in TLS 1.3 is secure.2. Hybrid key exchange following draft-ietf-tls-hybrid-design remains secure unless both components are broken simultaneously. 3. A compromise of the key exchange also compromises handshake authentication, not just confidentiality.
See PR [1]
4. Key share reuse breaks forward secrecy.
I think 4 is not needed because we already forbid key reuse by 8446bis, which is normatively cited in this draft.
And even then, we’d have to say “A machine-checked symbolic analysis done by an individual”People doing formal analysis are very limited. IMHO, we should not discourage the works of individuals by saying words like that. I believe right process is to get it checked by FATT [2].
Best regards, -Usama [0] https://github.com/tlswg/draft-ietf-tls-mlkem/pull/21 [1] https://github.com/tlswg/draft-ietf-tls-mlkem/pull/22 [2] https://github.com/tlswg/tls-fatt#working-group-last-call-wglc
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
