UNCLASSIFIED / NON CLASSIFIÉ

I support publication.

On Wed, Jul 1, 2026 at 5:59 PM Andrew Lee <[email protected]> wrote:
> On Jul 1, 2026, at 2:22 PM, Kevin Milner <[email protected]> wrote:
> > It’s important to separate opposition to the rollout of non-hybrid PQC
> > from opposition to this draft.
>
> Someone from the Canadian Centre for Cyber Security (Canadian
> Government) literally wrote on list they are relying on this document
> to be published so they can recommend solo ML-KEM [0][1], and an
> expert PQ cryptographer [2] pointed this out in addition to their
> opposition.

Yes, the Canadian Centre for Cyber Security plans to recommend the use of 
ML-KEM for TLS in our guidance for configuring network security protocols 
(ITSP.40.062 [3]).  We hope it will be published as an RFC.

However, contrary to assumptions made by others, the Cyber Centre also plans to 
recommend hybrid ECDHE-MLKEM as per draft-ietf-tls-ecdhe-mlkem.  Therefore, our 
general guidance is not recommending one over the other, as it may be a use 
case specific decision.  We want the migration to PQC to be as easy as possible 
to have vendors and organizations meet our timelines [4].

Jonathan

[3] 
https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062
[4] 
https://www.cyber.gc.ca/en/guidance/roadmap-migration-post-quantum-cryptography-government-canada-itsm40001

-----Original Message-----
From: Andrew Lee <[email protected]>
Sent: July 1, 2026 5:58 PM
To: Kevin Milner <[email protected]>
Cc: Nadim Kobeissi <[email protected]>; [email protected]
Subject: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

On Jul 1, 2026, at 2:22 PM, Kevin Milner <[email protected]> wrote:


        several very widely deployed libraries and applications are already 
implementing pure ML-KEM (I believe several have been cited previously in the 
discussion of this draft, by both sides), and I suspect more will over time.


Do you happen to have a few examples or a link to this so-called wall of shame? 
People have rolled their own libraries since the beginning. Just because people 
are releasing things doesn't mean the IETF has to put their name on everything 
with a meaningless RECOMMENDED=N.



        It’s important to separate opposition to the rollout of non-hybrid PQC 
from opposition to this draft.



Someone from the Canadian Centre for Cyber Security (Canadian Government) 
literally wrote on list they are relying on this document to be published so 
they can recommend solo ML-KEM [0][1], and an expert PQ cryptographer [2] 
pointed this out in addition to their opposition.

In RFCs, nobody reads the part where it’s recommended or not. If they open the 
document, it’s because they’re looking for the implementation / protocol 
details. An RFC signals adoption by the IETF outside the IETF, whether the word 
“adopted” means _adopted_ here or not.


[0] Not surprising given the new C-22 spy bill.
[1] https://mailarchive.ietf.org/arch/msg/tls/uOeM5IRcYYjpNFlRyxEfo91q29c/
[2] https://mailarchive.ietf.org/arch/msg/tls/oxuqWPQ08itms6NxEPCiFVzVgtY/


_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to