On Fri, Jun 26, 2026, at 07:39, Nick Sullivan wrote:
> Quick clarification of my last email. The points, briefly:
> - Publish -08 as-is: ok
> - Do not merge #25: it reroutes a failed Section 7.2 encapsulation-key
> check from illegal_parameter to internal_error, away from -08 (and the
> approved draft-ietf-tls-ecdhe-mlkem).
> - Minor, non-blocking: probabilistic wording in Section 4.3, the DTLS
> freshness clarification, and a note that implicit rejection is not an
> error.

Nick, that original mail was tl;dr.  I tried.  Are you suggesting that the 
draft is correct without changes?  Just because it works doesn't make it good.  
A lot depends on how you intend to use this API, but I would greatly prefer 
that it be at least possible to only have to deal with APIs that take byte 
sequences.  (Unlike other uses of the same thing, there is no value to 
obtaining a checked value for multiple uses, because these are single-use 
items.)

With that API, failing the checks in FIPS 203 will be indistinguishable from 
failing to gather entropy or actual cryptographic problems (which we generally 
want to hide; fault injection, etc...).

The part where this gets weird for me is this (which both you and Bas say in 
different ways, I think):

> First, the client need not repeat the decapsulation-key checks on every 
> operation [...]

I was not suggesting that the client check the key it made at all (unless I'm 
completely losing it).

#25 says: 

> Prior to encapsulation, the server MUST perform the encapsulation key check
> from Section 7.2 of {{FIPS203}}.
> Prior to decapsulation, the client MUST perform the decapsulation input check
> from Section 7.3 of {{FIPS203}}.

Paraphrasing: "check the stuff you received from the other side before using 
it".  It says nothing of what each peer itself generates.

What am I missing?

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to