[TLS] Re: [Pqc] Subject: Request for Technical Review: Internet-Draft draft-zhou-tls-tls14-03 – The Transport Layer Security (TLS) Protocol Version 1.4

[Wang Guilin]

Hi, Bochai,

I have a question on the rationale of TLS 1.4, simliar to those from Usama.

Are there any specific issues which cannot be addressed in the framwwork of TLS 
1.3, or have not been covered by the current documents in the WG (Working 
Group)?

For my understanding, it seems no necessity to do TLS 1.4 now.

Cheers,

Guilin

发件人：Muhammad Usama Sardar 
<muhammad_usama.sar...@tu-dresden.de<mailto:muhammad_usama.sar...@tu-dresden.de>>
收件人：Bocai Zhou 
<draft-ietf-tls-tls14=40proton...@dmarc.ietf.org<mailto:draft-ietf-tls-tls14=40proton...@dmarc.ietf.org>>
抄 送：pqc <p...@ietf.org<mailto:p...@ietf.org>>;tls 
<tls@ietf.org<mailto:tls@ietf.org>>
时 间：2025-10-02 03:15:46
主 题：[TLS] Re: [Pqc] Subject: Request for Technical Review: Internet-Draft 
draft-zhou-tls-tls14-03 – The Transport Layer Security (TLS) Protocol Version 
1.4


I agree with Ekr that this draft is not required. There needs to be a strong 
evidence why exactly the proposed TLS 1.4 is better than TLS 1.3 and why that 
is not achievable via an extension of TLS 1.3. Towards that, I would appreciate 
precise answers to two questions inline.

Also, it would have been good to start with the RFC8446bis as -00 so that one 
could more easily see what are the changes.

On Tue, Sep 30, 2025 at 9:22 PM Bocai Zhou 
<draft-ietf-tls-tls14=40proton...@dmarc.ietf.org<mailto:40proton...@dmarc.ietf.org>>
 wrote:

This approach is designed to establish a cleaner, unambiguously secure, and 
sustainable foundation for PQC-era deployments.

Could the claim of "unambiguously secure" be substantiated? Is there any 
ongoing formal analysis for this draft? If so, please point me to that.

  *   Mandatory Hybrid Authentication: To effectively mitigate potential 
downgrade and substitution attacks in the long term, the design requires hybrid 
authentication to utilize two distinct certificate chains—one classical and one 
PQC. Crucially, these chains must be cryptographically linked (e.g., through 
cross-signatures or a Certified Linking X.509 Extension). The CertificateVerify 
message is accordingly updated to mandate the inclusion and validation of both 
signatures over the identical transcript hash.

What exactly does "effectively" mean here? Is the claim that the proposed TLS 
1.4 is better compared to an extension of TLS 1.3? If so, I would like to see 
some formal reasoning for that.

-Usama

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org