Hi Bas, That is my point.
There are some known security issues with some ML-KEM implementations, but no known security issues with ML-KEM that are of immediate relevance to the way it is used in TLS. I honestly don't understand the opposition to this draft. I can understand why it is marked as N (not recommended) in the IANA registry, but not why there can't be an informational RFC that specifies the way it is supposed to be implemented, if or when it is supported by a conformant interoperable TLS implementation.
On 2026-07-04 17:47, Bas Westerbaan wrote:
Hi Henrick,Would you mind explaining how an attacker would use a timing side- channel attack against ephemeral use of ML-KEM in TLS?Best, BasOn Sat, Jul 4, 2026 at 4:53 PM Henrick Hellström <[email protected] <mailto:[email protected]>> wrote:I have followed the discussion on this topic and support publication of this document as a RFC. Short motivation: Recognizing the there might be a high risk of implementation bugs or timing issues with new implementations, is a terrible reason to delay the publication of an informational documentation of a mechanism that is given status N (not recommended) in the IANA registry. Henrick Wibell Hellström StreamSec On 2026-06-24 17:00, Joseph Salowey via Datatracker wrote: > This message initiates a new Working Group Last Call for draft- ietf-tls-mlkem[1], which defines standalone ML-KEM key establishment for TLS 1.3. The main question before the working group is: "Should the working group publish a document specifying stand alone ML- KEM?". If there is rough consensus then we will push to refine and publish the document; otherwise, we will stop discussing the draft and not progress it. Please respond to this call indicating whether you support publishing a document specifying a stand alone ML-KEM. Please refrain from further discussion on this topic as most arguments have been discussed multiple times. _______________________________________________ TLS mailing list -- [email protected] <mailto:[email protected]> To unsubscribe send an email to [email protected] <mailto:tls- [email protected]>
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
