Please reject. Due to it missing some information for Security Considerations, IMHO this MUST NOT be published as an RFC.

The TLS WG should IMHO ask the groups from the linked liaison statements and the editors of CNSA2.0 to adopt X25519MLKEM768 instead.

---

Missing information for Security or IANA Considerations:

I think we should have learned from history of TLS and other protocols that having multiple possible algorithms is a security problem. The same is true of having multiple choices for the negotiation options in a protocol. So for each options existence the full and exact arguments chosen for a spec must be easy to look up.

There is no argument given in this draft for why this new option to TLS Supported Groups should be added when X25519MLKEM768 is already widely deployed. It does not even mention why it should be the chosen one if it were the only cypher or the first post quantum one. I do understand this was discussed, but it needs to be in the RFC. (It was also not included in the text of the last call or its linked documents.)

It needs to be written which considerations apply for common expected negotiation offers.

It needs to be written which will be the most common negotiation offers, expected based on guessed vendor choices and market forces. And maybe some relevant but less common ones if the argument is that this is needed for less common ones. And how these negotiations will interact.

---

Relation with other specs:

There is no argument given for why the linked liaison statements are requesting this.

There were multiple mentions elsewhere that ultimately imply that CNSA2.0 requires a non-hybrid ml-kem. By my reading of CSA_CNSA_2.0_ALGORITHMS.PDF that is wrong, it mentions explicitly "hybrid solutions may be allowed". draft-becker-cnsa2-tls-profile-04 is still a draft and does not mention the word hybrid or 25519, so seems to give no reasoning. The file CSI_CNSA_2.0_FAQ_.PDF goes into more detail on its preferences regarding hybrids including some written out arguments. My understand is that those arguments imply to favor selecting X25519MLKEM768 for CNSA2.0.

The argument that this should be published as RFC for harm reduction reasons doesn't sound correct to me, but again I could not inspect the full argument as it was not written out where I read that.

---

I could not find statements from the WG regarding which arguments regarding previous last calls it considered and what the official response was. It would be useful if the last call message would include or link to a summary of all the arguments made after the previous last call and their official response. That might have made me not send this message or at least made it much shorter.

Perhaps it is the position of the TLS WG that the text in this last call after "recent changes:" is supposed to be that. But after reading it and the one for last call of draft-ietf-tls-mlkem-05, I'm under the impression that significant arguments where made regarding this draft before this last call, that were not mentioned. So clarification on that would be appreciated.

---

Some background how common implementation usage looked before X25519MLKEM768:

Most Linux distributions ship a default, some Linux distributions support a FIPS mode which is what a few get certified. There is another deployment dear to me that is relevant here, the servers that run Wikipedia.

Distri default: Support a superset of FIPS mode, meaning FIPS off can connect to a system with FIPS on. This is often broken in that FIPS algorithms might get preferred where they shouldn't be. Also in practice people who want to avoid those algorithms would need to configure that on their own even if they would be fine in not being able to connect to many websites (due to deployment of FIPS on where not necessary).

Distri FIPS mode:

This switches off some options like the non-hybrid x25519.

This is all the same binaries as the normal / default mode of the Linux distribution. Except for sometimes special disk images, installer images, live media images, etc that have the FIPS mode on by default. There is a kernel boot argument fips=1 which ever supported bootloader needs to be able to pass to the Linux kernel to boot. Operators can edit it before the boot and this also applies to live images or installers. Applications running on linux can read this and everything that uses any cryptography needs to react to it. It needs to be passed through by any container like podman/kubernetes/flatpak or virtualization software like kvm. So any supported container images also need to support FIPS mode.

This is fragile as it involves many manual changes at downstream vendors and operators and humans make errors all the time. Operators accidentally run with FIPS mode not enabled. Software is not implemented to react to FIPS mode. Random example I would expect to fail this is Chrome/Chromium. Container images often do not consider FIPS mode as base images who do are bigger. So then security solutions to prevent those errors get layered on, those are not designed in a secure way and make the systems even less secure.

Wikipedia: The diversity of clients that needs to be supported is much bigger. The advantage is that you can just look at the stats on which negotiation offers where seen in the past as that can be recorded in a privacy preserving way. The downside is that the pressure to not lock out a client is bigger than for a Linux distribution (or an Android and thus client only distribution).

Note that the IANA TLS Parameters page does not express any of these configuration realities, not as of now and also not in any previous version. IMHO that is already a security error. The TLS WG should fix it, so as an implementer it is directly usable for the most common cases.

---

If X25519MLKEM768 were adopted in CNSA2.0, then that would mean a reduction in common security failures related to FIPS mode. CSI_CNSA_2.0_FAQ_.PDF thus in effect argues for this, e.g. by warning against complexity.

If the non-hybrid ml-kem would be made a spec here, my prediction is that in effect a big portion of the traffic on the internet would be migrated from X25519MLKEM768 to a non-hybrid. CSI_CNSA_2.0_FAQ_.PDF in effect argues against this, e.g. by warning of a second migration.



Please kindly CC me or forward a copy if you want to make a response from me to a list message more likely.

--
Best regards,
Jan Zerebecki

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to