2026-07-06 10:38 GMT+02:00 Filippo Valsorda <[email protected]>:
> 2026-07-06 09:50 GMT+02:00 Stephan Neuhaus <[email protected]>:
>> Perhaps to illustrate my point, WolfSSL has received a CVE for a bug in 
>> ML-KEM on https://nvd.nist.gov/vuln/detail/CVE-2026-10097.
> 
> That CVE has already been discussed in this thread, and has no impact on 
> ephemeral key exchange in TLS. It is actually pretty hard to implement ant 
> ephemeral key exchange so wrong that it matters.

s/ant/any/

🐜

> (We also had long discussions on whether non-ephemeral key reuse should be 
> allowed, and the group seems to mostly agree it should not. I suggest reading 
> the archives for details if you are new.)

Usama pointed out to me off-list that this was in fact specified in the WGLC 
email and suggested I clarify. See below the excerpt.

> - Key Share Reuse Prohibited in draft-ietf-tls-rfc8446bis: The WG recently 
> reached consensus to explicitly prohibit key share reuse across connections 
> in TLS 1.3. The new text changes the guidance from SHOULD NOT to a strict 
> MUST NOT. This resolves the concerns regarding static key reuse and its 
> associated privacy and forward-secrecy risks for ML-KEM.

>> I do remember seeing this with a CWE of CWE-327: Use of a Broken or 
>> Risky Cryptographic Algorithm, but that has since changed in the NVD to 
>> read CWE-697: Incorrect Comparison. (See the CVE change history in the NVD.)
>> 
>> Cheers
>> 
>> Stephan
>> 
>> On 7/1/26 12:32 PM, Stephan Neuhaus wrote:
>> > I do not support the publication of this document.
>> > 
>> > I remember well that security standards get broken: when they have been 
>> > well-reviewed, but especially when they're new. Bugs show up in the 
>> > math, but also in implementations. Lattice cryptography seems to me to 
>> > be a very active field of research, when quite fundamental results (and 
>> > bugs!) are still being discovered, both in the math and in the 
>> > implementations. From a risk-management perspective alone, I believe 
>> > that it's too risky to standardise, even as "informational", a mode of 
>> > encryption that relies only on these new methods.
>> > 
>> > Cheers
>> > 
>> > Stephan
>> > 
>> > PS: Full disclosure: I have just joined the TLS mailing list, mainly to 
>> > say just this. I also have no standing in the cryptographic community, 
>> > except that I have published a paper last year together with Peter 
>> > Gutmann of this parish, about how all of the published quantum 
>> > factorisation records are bogus [1]. What kind of standing this gives 
>> > me, if any, is anybody's guess.
>> > 
>> > [1] https://eprint.iacr.org/2025/1237
>> > 
>> > _______________________________________________
>> > TLS mailing list -- [email protected]
>> > To unsubscribe send an email to [email protected]
>> 
>> _______________________________________________
>> TLS mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>> 
> 
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> 
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to