[TLS] Re: [Pqc] Subject: Request for Technical Review: Internet-Draft draft-zhou-tls-tls14-03 – The Transport Layer Security (TLS) Protocol Version 1.4

[Muhammad Usama Sardar]

I agree with Ekr that this draft is not required. There needs to be a strong evidence why exactly the proposed TLS 1.4 is better than TLS 1.3 and why that is not achievable via an extension of TLS 1.3. Towards that, I would appreciate precise answers to two questions inline.

Also, it would have been good to start with the RFC8446bis as -00 so that one could more easily see what are the changes.

On Tue, Sep 30, 2025 at 9:22 PM Bocai Zhou <draft-ietf-tls-tls14=40proton...@dmarc.ietf.org> wrote:

    This approach is designed to establish a cleaner, unambiguously
    secure, and sustainable foundation for PQC-era deployments.

Could the claim of "unambiguously secure" be substantiated? Is there any ongoing formal analysis for this draft? If so, please point me to that.

     *

        Mandatory Hybrid Authentication: To effectively mitigate
        potential downgrade and substitution attacks in the long term,
        the design requires hybrid authentication to utilize two
        distinct certificate chains—one classical and one PQC.
        Crucially, these chains must be cryptographically linked
        (e.g., through cross-signatures or a Certified Linking X.509
        Extension). The CertificateVerify message is accordingly
        updated to mandate the inclusion and validation of both
        signatures over the identical transcript hash.

What exactly does "effectively" mean here? Is the claim that the proposed TLS 1.4 is better compared to an extension of TLS 1.3? If so, I would like to see some formal reasoning for that.

-Usama

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org