Hi,

I read the draft and I support its publication.


Nits & typos:

Section 5:

s/{KOBEISSI26}/[KOBEISSI26]

I would place the sentence:

   Formal analysis has also shown that hybrid key
   establishment (e.g., [HYBRID], [ECDHE-MLKEM]) provides compositional
   security; the exchange remains secure as long as at least one of the
   component algorithms is unbroken.

in a separate para, since all the other text in this para is concerned
with ML-KEM and this sentence is concerned with hybrid mechanisms.


Section 7.2

s/Post-Quantum {TLS} 1.3 Handshake from {CPA}-Secure {KEMs}/ Post-Quantum TLS 
1.3 Handshake from CPA-Secure KEMs

Regards,
Valery.


> -----Original Message-----
> From: Joseph Salowey via Datatracker <[email protected]>
> Sent: Wednesday, June 24, 2026 6:00 PM
> To: [email protected]; [email protected]; [email protected]
> Subject: [TLS] WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
> 
> This message initiates a new Working Group Last Call for 
> draft-ietf-tls-mlkem[1], which defines standalone ML-
> KEM key establishment for TLS 1.3. The main question before the working group 
> is: "Should the working group
> publish a document specifying stand alone ML-KEM?". If there is rough 
> consensus then we will push to refine and
> publish the document; otherwise, we will stop discussing the draft and not 
> progress it. Please respond to this call
> indicating whether you support publishing a document specifying a stand alone 
> ML-KEM. Please refrain from
> further discussion on this topic as most arguments have been discussed 
> multiple times.
> 
> Why are we holding this consensus call now?
> 
> Significant developments have occurred both within this document and in the 
> broader TLS ecosystem to address
> the concerns raised in the last WGLC. Therefore, the third consensus call is 
> warranted. We ask the working group
> to consider document publication in light of these recent changes:
> 
> - Promotion of Hybrids in draft-ietf-tls-ecdhe-mlkem: Following a separate 
> consensus call, the WG agreed to
> promote the X25519MLKEM768 hybrid group to Recommended: Y in the IANA 
> registry. Consequently, the IANA
> registry will reflect a clear community preference for a hybrid because 
> Recommended: Y clearly indicates this while
> the standalone ML-KEM groups defined in this draft remain Recommended: N. The 
> updated security
> considerations in [1] reference the IANA registry to emphasize this 
> preference.
> 
> - Key Share Reuse Prohibited in draft-ietf-tls-rfc8446bis: The WG recently 
> reached consensus to explicitly prohibit
> key share reuse across connections in TLS 1.3. The new text changes the 
> guidance from SHOULD NOT to a strict
> MUST NOT. This resolves the concerns regarding static key reuse and its 
> associated privacy and forward-secrecy
> risks for ML-KEM.
> 
> - Nadim updated the ProVerif model of TLS 1.3 to evaluate KEM and hybrid KEM 
> groups in TLS 1.3. This supports
> other results which show that KEMs are secure when used in TLS 1.3 and that 
> hybrid groups are secure even if
> one of the components is compromised.
> 
> - Liaisons: We received liaison statements from multiple SDOs including  
> O-RAN[2], IEEE 802.11[4] and from
> 3GPP[3]  expressing support for the publication of draft-ietf-tls-mlkem as an 
> RFC as they rely on the IETF to
> provide a stable normative reference.
> 
> Please note that a third-party IPR disclosure exists [5] against this 
> document regarding patents related to the
> underlying ML-KEM algorithm. This IPR declaration has not changed since the 
> last WGLC. As a reminder, per
> BCP 79, the IETF takes no stance on the validity of patent claims, and the 
> working group may decide to proceed
> with a technology despite IPR disclosures if it decides that such use is 
> warranted.
> 
> Conduct Reminder: Given the heated nature of previous discussions on this 
> topic, participants are strongly
> reminded to adhere to the IETF Code of Conduct (BCP 54) and the TLS WG's Mail 
> List Procedures. Keep
> feedback professional, technical, and focused on the document's text.
> 
> This working group last call will end on 2026-07-08.
> 
> Joe and Sean
> 
> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/
> [2] https://datatracker.ietf.org/liaison/2198/
> [3] https://datatracker.ietf.org/liaison/2151/
> [4] https://datatracker.ietf.org/liaison/2148/
> [5] 
> https://datatracker.ietf.org/ipr/search/?submit=draft&id=draft-ietf-tls-mlkem
> 
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to