Hi D. J. Bernstein,

Not a process person, so won't comment on those. Respectfully and humbly, a few technical corrections:

On 28.06.26 15:01, D. J. Bernstein wrote:
The TLS WG chairs write:
Significant developments have occurred both within this document and
in the broader TLS ecosystem to address the concerns raised in the
last WGLC.
False.

If you believe Nadim's formal analysis in ProVerif is not a significant development, I sincerely encourage you to find a security flaw in the formal analysis. Several WG participants -- including at least one FATT member -- have independently reviewed the formal analysis and the paper and concluded that it is a reasonable model.

Therefore, the third consensus call is warranted.
No, it is not. It is an abuse of power by the chairs, inflicting costs
upon opponents to object again and again.
I respectfully disagree. IMHO, we need to know if there is something technical left to do on it or otherwise to stop wasting further time on this draft. I believe the call is well-justified.
- Key Share Reuse Prohibited in draft-ietf-tls-rfc8446bis: The WG
recently reached consensus to explicitly prohibit key share reuse
across connections in TLS 1.3. The new text changes the guidance from
SHOULD NOT to a strict MUST NOT. This resolves the concerns regarding
static key reuse and its associated privacy and forward-secrecy risks
for ML-KEM.
It has always been clear that this matters for one person. John Mattsson
during the adoption call wrote "I support adoption as long as reuse of
ephemeral keys is normatively forbidden, i.e. MUST NOT reuse"; he has
made similar comments afterwards.

Respectfully, that's not correct. John is surely not the only one. Key reuse was one of my *major* concerns. In fact, I had this concern even when I was not into the PQ. I raised this concern in the 2nd WGLC of this document too.

Anyway, the consensus call on this matter has confirmed that there was full WG consensus. I do not recall a single person objecting to that consensus call. This is an undeniable attestation that it was not only John and me.

- Nadim updated the ProVerif model of TLS 1.3 to evaluate KEM and
hybrid KEM groups in TLS 1.3. This supports other results which show
that KEMs are secure when used in TLS 1.3 and that hybrid groups are
secure even if one of the components is compromised.
My understanding is that such formal analysis moved Muhammad Usama
Sardar from opposition to neutral. But, again, the majority of people
stating objections have done so on more fundamental grounds than this.

Respectfully, I believe that's wrong too. AFAIU, most of the 25 objecters from the last WGLC now seem to be satisfied with the formal proof. I've seen only 4-5 of those still objecting. All other objecters so far are new and I haven't seen any new arguments yet. Moreover, many more people are now in support because of formal assurance.

The formal analysis showed both proponents and opponents were correct:

 * proponents in the sense that there is no security issue in the
   integration of ML-KEM in TLS
 * opponents in the sense that hybrids enjoy two-factor security
   properties and it is not only "proponents of hybrids" as the draft
   previously said, rather a scientifically proven fact.

I hope we can use the FATT process for controversial drafts right from the beginning to optimize the WG energy and avoid tabletop discussions. I also hope we can work like a collaborative working group rather than a battlefield.

Best,

-Usama

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to