2026-07-06 10:38 GMT+02:00 Filippo Valsorda <[email protected]>: > 2026-07-06 09:50 GMT+02:00 Stephan Neuhaus <[email protected]>: >> Perhaps to illustrate my point, WolfSSL has received a CVE for a bug in >> ML-KEM on https://nvd.nist.gov/vuln/detail/CVE-2026-10097. > > That CVE has already been discussed in this thread, and has no impact on > ephemeral key exchange in TLS. It is actually pretty hard to implement ant > ephemeral key exchange so wrong that it matters.
s/ant/any/ 🐜 > (We also had long discussions on whether non-ephemeral key reuse should be > allowed, and the group seems to mostly agree it should not. I suggest reading > the archives for details if you are new.) Usama pointed out to me off-list that this was in fact specified in the WGLC email and suggested I clarify. See below the excerpt. > - Key Share Reuse Prohibited in draft-ietf-tls-rfc8446bis: The WG recently > reached consensus to explicitly prohibit key share reuse across connections > in TLS 1.3. The new text changes the guidance from SHOULD NOT to a strict > MUST NOT. This resolves the concerns regarding static key reuse and its > associated privacy and forward-secrecy risks for ML-KEM. >> I do remember seeing this with a CWE of CWE-327: Use of a Broken or >> Risky Cryptographic Algorithm, but that has since changed in the NVD to >> read CWE-697: Incorrect Comparison. (See the CVE change history in the NVD.) >> >> Cheers >> >> Stephan >> >> On 7/1/26 12:32 PM, Stephan Neuhaus wrote: >> > I do not support the publication of this document. >> > >> > I remember well that security standards get broken: when they have been >> > well-reviewed, but especially when they're new. Bugs show up in the >> > math, but also in implementations. Lattice cryptography seems to me to >> > be a very active field of research, when quite fundamental results (and >> > bugs!) are still being discovered, both in the math and in the >> > implementations. From a risk-management perspective alone, I believe >> > that it's too risky to standardise, even as "informational", a mode of >> > encryption that relies only on these new methods. >> > >> > Cheers >> > >> > Stephan >> > >> > PS: Full disclosure: I have just joined the TLS mailing list, mainly to >> > say just this. I also have no standing in the cryptographic community, >> > except that I have published a paper last year together with Peter >> > Gutmann of this parish, about how all of the published quantum >> > factorisation records are bogus [1]. What kind of standing this gives >> > me, if any, is anybody's guess. >> > >> > [1] https://eprint.iacr.org/2025/1237 >> > >> > _______________________________________________ >> > TLS mailing list -- [email protected] >> > To unsubscribe send an email to [email protected] >> >> _______________________________________________ >> TLS mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
