Hi D. J. Bernstein,Not a process person, so won't comment on those. Respectfully and humbly, a few technical corrections:
On 28.06.26 15:01, D. J. Bernstein wrote:
The TLS WG chairs write:Significant developments have occurred both within this document and in the broader TLS ecosystem to address the concerns raised in the last WGLC.False.
If you believe Nadim's formal analysis in ProVerif is not a significant development, I sincerely encourage you to find a security flaw in the formal analysis. Several WG participants -- including at least one FATT member -- have independently reviewed the formal analysis and the paper and concluded that it is a reasonable model.
I respectfully disagree. IMHO, we need to know if there is something technical left to do on it or otherwise to stop wasting further time on this draft. I believe the call is well-justified.Therefore, the third consensus call is warranted.No, it is not. It is an abuse of power by the chairs, inflicting costs upon opponents to object again and again.
- Key Share Reuse Prohibited in draft-ietf-tls-rfc8446bis: The WG recently reached consensus to explicitly prohibit key share reuse across connections in TLS 1.3. The new text changes the guidance from SHOULD NOT to a strict MUST NOT. This resolves the concerns regarding static key reuse and its associated privacy and forward-secrecy risks for ML-KEM.It has always been clear that this matters for one person. John Mattsson during the adoption call wrote "I support adoption as long as reuse of ephemeral keys is normatively forbidden, i.e. MUST NOT reuse"; he has made similar comments afterwards.
Respectfully, that's not correct. John is surely not the only one. Key reuse was one of my *major* concerns. In fact, I had this concern even when I was not into the PQ. I raised this concern in the 2nd WGLC of this document too.
Anyway, the consensus call on this matter has confirmed that there was full WG consensus. I do not recall a single person objecting to that consensus call. This is an undeniable attestation that it was not only John and me.
- Nadim updated the ProVerif model of TLS 1.3 to evaluate KEM and hybrid KEM groups in TLS 1.3. This supports other results which show that KEMs are secure when used in TLS 1.3 and that hybrid groups are secure even if one of the components is compromised.My understanding is that such formal analysis moved Muhammad Usama Sardar from opposition to neutral. But, again, the majority of people stating objections have done so on more fundamental grounds than this.
Respectfully, I believe that's wrong too. AFAIU, most of the 25 objecters from the last WGLC now seem to be satisfied with the formal proof. I've seen only 4-5 of those still objecting. All other objecters so far are new and I haven't seen any new arguments yet. Moreover, many more people are now in support because of formal assurance.
The formal analysis showed both proponents and opponents were correct: * proponents in the sense that there is no security issue in the integration of ML-KEM in TLS * opponents in the sense that hybrids enjoy two-factor security properties and it is not only "proponents of hybrids" as the draft previously said, rather a scientifically proven fact.I hope we can use the FATT process for controversial drafts right from the beginning to optimize the WG energy and avoid tabletop discussions. I also hope we can work like a collaborative working group rather than a battlefield.
Best, -Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
