D. J. Bernstein wrote: >> - Key Share Reuse Prohibited in draft-ietf-tls-rfc8446bis: The WG >> recently reached consensus to explicitly prohibit key share reuse >> across connections in TLS 1.3. The new text changes the guidance from >> SHOULD NOT to a strict MUST NOT. This resolves the concerns regarding >> static key reuse and its associated privacy and forward-secrecy risks >> for ML-KEM. > >It has always been clear that this matters for one person. John Mattsson >during the adoption call wrote "I support adoption as long as reuse of >ephemeral keys is normatively forbidden, i.e. MUST NOT reuse"; he has >made similar comments afterwards. > >However, the majority of people stating objections have done so on more >fundamental grounds than this. See my chart > > https://blog.cr.yp.to/20260221-structure.html > >of the arguments and counterarguments; someone claiming to "address the >concerns raised" should be addressing, e.g., "weakening normal ECC+PQ to >solo PQ creates security risks", not just the sideshow about "whether >ML-KEM key reuse should be prohibited".
Based on the number of people who spoke up during the consensus call, it is clear that many people share my concern. Static key reuse was a major problem in TLS. It created a persistent identifier for tracking users and has repeatedly turned implementation bugs in ECC into serious practical vulnerabilities. The same would likely have happened with PQC KEMs. Calling this "not fundamental" or a "sideshow" makes little sense. Prohibiting key share reuse is a fundamental security and privacy requirement. Cheers, John Preuß Mattsson From: D. J. Bernstein <[email protected]> Date: Sunday, 28 June 2026 at 15:04 To: [email protected] <[email protected]> Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08) The TLS WG chairs write: > Significant developments have occurred both within this document and > in the broader TLS ecosystem to address the concerns raised in the > last WGLC. False. For example, none of that has addressed the following objection from Izzy Grosof: "The performance improvements of a non-hybrid approach are trifling; the security risks are immense ... Do not endorse or standardize any non-hybrid post-quantum cryptosystem, via this document or any other." This isn't an isolated example of an unaddressed objection. In the last WGLC, there were 22 people speaking up against the document (vs. 21 in favor). The majority of those 22 people stated objections centered on solo PQ incurring unnecessary security risks compared to hybrids. See https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.cr.yp.to%2F20260405-votes.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C5e29facfe193480c82ec08ded515d1c6%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639182486865574635%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=S471raOrz9GqrcSmcPlwMBkIysKXulIYdt1VqXTuisA%3D&reserved=0<https://blog.cr.yp.to/20260405-votes.html> for names, quotes, and links. RFC 2026, Section 6.5, authorizes process complaints from individuals whose views have not been adequately considered by the WG. I'm hereby invoking this provision to ask for withdrawal of this WGLC---a WGLC founded upon disregarding objections from many people, including me. The chairs have never acknowledged the level of opposition. The chairs have never acknowledged the main content of the opposition. This new last call takes minor issues and misrepresents those as "the concerns raised in the last WGLC". I'm saying "minor" because, in fact, only a few people raised those _as objections_, no matter how many times _proponents_ might have claimed that those issues are central. What's particularly pernicious about the chair refusal to acknowledge the majority of the objections is that the chairs also wrote "Please refrain from further discussion on this topic". RFC 2418 requires disagreements to be "resolved by a process of open review and discussion"; the chairs are actively sabotaging this process. > Therefore, the third consensus call is warranted. No, it is not. It is an abuse of power by the chairs, inflicting costs upon opponents to object again and again. Defense contractors paying people to show up here can easily afford these costs, but for normal people these costs are important. IETF says it isn't a pay-to-play organization. IETF says it makes decisions by consensus. IETF says disagreements must be _resolved_. > - Promotion of Hybrids in draft-ietf-tls-ecdhe-mlkem: Following a > separate consensus call, the WG agreed to promote the X25519MLKEM768 > hybrid group to Recommended: Y in the IANA registry. This argument might be relevant in a fantasy world where corporate purchasing managers understand IETF endorsement to be conveyed not by the issuance of RFCs but rather by the IANA registry. In the real world, I'm sure a survey will show that the majority haven't even heard of the IANA registry. They also don't check the RFCs they're requiring to check for unexplained buried notes saying "Recommended: N". We've even seen Eric Rescorla admitting this: "I think it's clear that many regard the publication of an RFC by the TLS WG as a form of endorsement, even when Recommended=N [0]. In fact, this is precisely why the publication of some documents has become so controversial. ... [0] I don't think this position is entirely unreasonable given that the documents state on the face of them that they 'represent[s] the consensus of the IETF community.' " Just to emphasize: that's admitting the controversy regarding _the WG issuing an RFC_ (the proposal on the table). It's also admitting that pointing to "Recommended: N" doesn't address the controversy. Now the chairs are pointing to "Recommended: N" (by comparison to "Recommended: Y" in a better spec) and claiming that this addresses the controversy. No, it doesn't. Any action that will be interpreted as endorsing this security-sabotaging spec is unacceptable. The issuance of an RFC will be viewed as IETF endorsement; that's unacceptable. The (fraudulent) claim of "consensus of the IETF community" will also be viewed as IETF endorsement; that's also unacceptable. > Consequently, the IANA registry will reflect a clear community > preference for a hybrid If there's a clear community preference for ECC+PQ, then why are we seeing endless pushes for solo PQ? We've already been told the answer. An NSA employee wrote "we are looking for products that support /standalone/ ML-DSA-87 and /standalone/ ML-KEM-1024. If there is one vendor that produces one product that complies, then that is the product that goes on the compliance list and is approved for use. Our interactions with vendors suggests that this won't be a problem in most cases"; a Cisco employee wrote "There are people whose cryptographic expertise I cannot doubt who say that pure ML-KEM is the right trade-off for them, and more importantly for my employer, that's what they're willing to buy. Hence, Cisco will implement it"; etc. This violates a rule labeled in https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fweb.archive.org%2Fweb%2F20250528213926%2Fhttps%3A%2F%2Fwww.ietf.org%2Fblog%2Fietf-llc-statement-competition-law-issues%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C5e29facfe193480c82ec08ded515d1c6%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639182486865600818%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Uu%2F0e8iX%2B%2FmE6iOEFQ8gJKJ08WzZOKk68GoG53oh4HA%3D&reserved=0<https://web.archive.org/web/20250528213926/https://www.ietf.org/blog/ietf-llc-statement-competition-law-issues/> as "fundamental": "IETF participants use their best engineering judgment to find the best solution for the whole Internet, not just the best solution for any particular network, technology, vendor, or user." See also https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fweb.archive.org%2Fweb%2F20260622091826%2Fhttps%3A%2F%2Fwww.ietf.org%2Fsupport-us%2Fendowment%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C5e29facfe193480c82ec08ded515d1c6%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639182486865617364%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2B%2BZhKmXrPfQeCAzpV4sdFxcaeZBd2%2BKsjf0eXWJmUc%3D&reserved=0<https://web.archive.org/web/20260622091826/https://www.ietf.org/support-us/endowment/> saying that "participants cannot exert influence as they could in a pay-to-play organization where members, companies, or governments pay fees to set the direction". What's happening here is NSA overtly paying to influence IETF's direction. More recently (perhaps because arguments along the lines of "NSA wants this so we'll standardize it" don't exactly look good in the sunlight) we've seen other arguments for solo PQ, such as * the claim that "pure-mlkem is the obviously correct solution if you want high-performance solutions"; * an emphasis that "we have implemented this in Chrome"; and * a claim that deploying ECC+PQ would require a "second large-scale engineering effort to migrate to pure ML-KEM sometime later" and "would consume literal years of my life". But these arguments can't be reconciled with the supposed clarity of the community preference for ECC+PQ. As I put it in a previous message: "Who's the supposed user base for these specs? The answers are absurdly inconsistent. Someone asking about the purported _advantage_ of solo PQ over ECC+PQ is treated to wild exaggerations of the cost difference and to a whac-a-mole game of supposed applications (such as 'high-frequency trading'). Someone asking about the _security damage_ is instead told that this is just for NSA. C'mon, this doesn't pass the laugh test." > because Recommended: Y clearly indicates this while the standalone > ML-KEM groups defined in this draft remain Recommended: N. There are endless statements contradicting the idea that "Y" vs. "N" for "Recommended" clearly communicates a preference of one algorithm over another. For example: * Eric Rescorla wrote that a preference "isn't what Recommended=Y/N means in the context of TLS ... which is why we have four separate recommended EC curves" and that "The mechanism for encouraging implementors to actually use/deploy a draft is SHOULD/MUST implement". * RFC 8447 states a variety of different possible situations that can all produce Recommended: N, such as an item that "has limited applicability" _or_ "is intended only for specific use cases" _or_ merely "has not been through the IETF consensus process". * RFC 9847 says something different, namely that Recommended: N means that "the item has not been evaluated by the IETF" _and_ "that the IETF has made no statement about the suitability of the associated mechanism". * Meanwhile RFC 9487 says that Recommended: Y "only means that the associated mechanism is fit for the purpose for which it was defined". How can the chairs be claiming that "the IANA registry will reflect a clear community preference for a hybrid because Recommended: Y clearly indicates this" when they're authors of an RFC from last month saying that Recommended: Y means something else? Anyway, there's no point trying to disentangle this mess. The victims of RFCs on solo PQ usually won't even _see_ "Recommended: N" vs. "Y", so they won't be in the situation of trying to figure out what it means. It's instructive to look at https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.eff.org%2Ffiles%2F2014%2F04%2F09%2F20130905-guard-sigint_enabling.pdf&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C5e29facfe193480c82ec08ded515d1c6%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639182486865633127%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=rU%2FZZgXmsUCHbX7kfNGEvnRTJ1T27EKGrvlpColm20w%3D&reserved=0<https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf> saying "The SIGINT Enabling Project actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs. ... To the consumer and other adversaries, however, the systems' security remains intact." That nicely summarizes what's happening here. Overt leverage by NSA is removing the protection provided by ECC, but people all the way from purchasing managers to the end consumers aren't being _told_ that this protection has been removed. > The updated security considerations in [1] reference the IANA registry > to emphasize this preference. "Emphasize"? What the chairs are talking about here, as far as I can tell, is the last sentence of "5. Security Considerations", which currently says "The recommended column in the IANA TLS Supported Groups registry contains the IETF's current guidance on the recommended use of these algorithms for general purposes." How is this text emphasizing a preference for hybrids? I simply don't see that in the text. Furthermore, the _positioning_ of this text is _deemphasizing_ it. The text is buried much more deeply than, e.g., the text "consensus of the IETF community" that's automatically added to all WG RFCs, or the text "ML-KEM [FIPS203] is a FIPS standard for post-quantum [RFC9794] key establishment via a lattice-based key encapsulation mechanism (KEM)" in the introduction. The occasional reader who makes it to the security-considerations section sees the following text at the top of that section: "This document defines standalone ML-KEM key establishment for TLS 1.3. Use of KEMs for key agreement in TLS 1.3 has been analyzed in multiple settings and security models [DOWLING] [KEMTLS] [HV22] [CHSW22] [CZCJWH25] [ZJZ24]; ML-KEM's IND-CCA security exceeds the requirements for ephemeral key establishment [GHS25] [RFC8446bis]." To be clear, I would be opposed to an RFC specifying solo PQ even if it _did_ have prominent warnings. Many people will treat the issuance of an RFC as IETF endorsement without ever seeing the warnings. > - Key Share Reuse Prohibited in draft-ietf-tls-rfc8446bis: The WG > recently reached consensus to explicitly prohibit key share reuse > across connections in TLS 1.3. The new text changes the guidance from > SHOULD NOT to a strict MUST NOT. This resolves the concerns regarding > static key reuse and its associated privacy and forward-secrecy risks > for ML-KEM. It has always been clear that this matters for one person. John Mattsson during the adoption call wrote "I support adoption as long as reuse of ephemeral keys is normatively forbidden, i.e. MUST NOT reuse"; he has made similar comments afterwards. However, the majority of people stating objections have done so on more fundamental grounds than this. See my chart https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.cr.yp.to%2F20260221-structure.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C5e29facfe193480c82ec08ded515d1c6%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639182486865648981%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=xWmcFgDxGE8tAVUePR0qpSVKHilu9RoJ5e2WclDCQGc%3D&reserved=0<https://blog.cr.yp.to/20260221-structure.html> of the arguments and counterarguments; someone claiming to "address the concerns raised" should be addressing, e.g., "weakening normal ECC+PQ to solo PQ creates security risks", not just the sideshow about "whether ML-KEM key reuse should be prohibited". > - Nadim updated the ProVerif model of TLS 1.3 to evaluate KEM and > hybrid KEM groups in TLS 1.3. This supports other results which show > that KEMs are secure when used in TLS 1.3 and that hybrid groups are > secure even if one of the components is compromised. My understanding is that such formal analysis moved Muhammad Usama Sardar from opposition to neutral. But, again, the majority of people stating objections have done so on more fundamental grounds than this. > - Liaisons: We received liaison statements from multiple SDOs > including O-RAN[2], IEEE 802.11[4] and from 3GPP[3] expressing > support for the publication of draft-ietf-tls-mlkem as an RFC as they > rely on the IETF to provide a stable normative reference. An organization trying to influence IETF decisions via liaison statements to WGs is violating the following rule from RFC 2418: "Participation is by individual technical contributors, rather than by formal representatives of organizations." I'm hereby complaining under RFC 2026, Section 6.5, about this process violation, and requesting that the chairs explicitly bar all liaison statements. A closer look at the content---see https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fweb.archive.org%2Fweb%2F20260628104623%2Fhttps%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Ftls%2FJt6-6ssv7zUBHMgIzXaxw_PfJYQ%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C5e29facfe193480c82ec08ded515d1c6%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639182486865666829%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ay23cnQoikGpSkCHxZd4rH%2F%2F4Xu4qH9sASr4RIWgubw%3D&reserved=0<https://web.archive.org/web/20260628104623/https://mailarchive.ietf.org/arch/msg/tls/Jt6-6ssv7zUBHMgIzXaxw_PfJYQ/> ---also finds severe problems with what the chairs are claiming here. The chairs have never addressed any part of this; they just wave again and again at liaisons while ignoring the procedural objections and content objections. Anyway, claiming that NSA etc. want solo PQ, or even that they demand solo PQ, is non-responsive to the objections saying that solo PQ incurs unnecessary security risks compared to ECC+PQ. ---D. J. Bernstein ===== NOTICES ===== IETF BCP 78, "Rights Contributors Provide to the IETF Trust", Section 5 (normative), "Rights in Contributions", provides a modification right "unless explicitly disallowed in the notices contained in a Contribution (in the form specified by the Legend Instructions)". The official language from IETF's "Legend Instructions" for the situation that "the Contributor does not wish to allow modifications nor to allow publication as an RFC" is as follows: "This document may not be modified, and derivative works of it may not be created, and it may not be published except as an Internet-Draft." <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustee.ietf.org%2Fwp-content%2Fuploads%2FCorrected-TLP-5.0-legal-provsions.pdf&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C5e29facfe193480c82ec08ded515d1c6%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639182486865682540%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=X9ylUvT1NO908faPEDyi383k4%2FQ1TdgRnjNxXM%2B%2BhsI%3D&reserved=0<https://trustee.ietf.org/wp-content/uploads/Corrected-TLP-5.0-legal-provsions.pdf>> The same language is used in, e.g., RFC 5831. The same language hereby applies to this document. This is not disclaiming or limiting the applicability of IETF policies; it is strictly following IETF policies. IESG claims that the "explicitly disallowed" provision in BCP 78 is limited to the examples in Section 3 in BCP 78. That is incorrect. BCP 78 states that Section 5, "Rights in Contributions", is normative, while Section 3, "Exposition of Why These Procedures Are the Way They Are", is informative. The opt-out provision in the normative text is clear, and cannot be limited by an informative section. BCP 78 does not give IESG any authority to issue changes or purported clarifications of the rules. Rationale for exercising the BCP 78 opt-out provision: I'm fine with redistribution of copies of this document. The issue is instead with modification, such as (1) IESG's May 2025 posting of an IESG-mangled version of an appeal that I had filed and (2) IETF management selling IETF mailing-list text to AI companies. This goes far beyond what copyright law allows as fair use (such as giving quotes for purposes of commentary). When I complained about the mangled document, the IETF Executive Director responded not by apologizing but instead by asserting that IETF management had the power to do whatever it wanted. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
