On Thu, Jun 25, 2026, at 22:51, Bas Westerbaan wrote: >> The question in https://github.com/tlswg/draft-ietf-tls-mlkem/pull/24 and >> https://github.com/tlswg/draft-ietf-tls-mlkem/pull/25 is perhaps worth >> discussing. > > I think neither are necessary. > > The expanded decapsulation key caches the hash of the encapsulation > key. The decapsulation key check is whether that hash is correct. FIPS > 203 only requires that check if the key is from an untrusted source. In > the case of TLS, you generate the key yourself earlier, so you know the > hash is correct.
I'm clearly having a moment, because I'm not following you. At all. The values being checked here are the untrustworthy ones. The concern I have is what alert code is used for: 1. length is wrong 2. validation failed 3. Encaps/Decaps failed The draft draws a line between 1&2 in one case and between 2&3 for another case. #24 proposes a cut between 2&3; #25 proposes a cut between 1&2. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
