Eric Rescorla <[email protected]> writes: > On Mon, Oct 20, 2025 at 8:10 AM Simon Josefsson <[email protected]> wrote: > >> Eric Rescorla <[email protected]> writes: >> >> >> *EKR wrote:*>It's purely about whether we think it's reasonable to >> implement. >> >> >> >> This is the current meaning. RFC8447bis will change the meaning to: >> >> >> >> “This only means that the associated mechanism is fit for the >> >> purpose for which it was defined.” >> > >> > Right. Is it not the opinion of the TLS WG that P256/P-384 + MLKEM are >> fit >> > for that purpose? >> >> RFC8447bis requires IETF-consensus. I don't think that question has >> been asked IETF-wide at all so far, has it? Has there been any >> consensus call in the TLS WG on that question even? So we don't really >> know. >> > > RFC 8447bis has already been IETF Last Called and approved by the IESG, > and is in the RFC Editor Queue now. > > https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8447bis/
Right, and quoting it:
The instructions in this document update the Recommended column,
originally added in [RFC8447] to add a third value, "D", indicating
that a value is "Discouraged". The permitted values of the
"Recommended" column are:
Y:
Indicates that the IETF has consensus that the item is
^^^^^^^^^^^^^^^^^^
RECOMMENDED. This only means that the associated mechanism is fit
for the purpose for which it was defined.
The definition of RECOMMENDED is through
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
and is:
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
I'm not seeing any IETF-wide consensus question or determination about
this question so far. There is a WGLC but that would not establish
IETF-wide consensus.
I think we clearly do not have IETF-wide consensus for Recommended=Y
established now.
I think X25519+MLDSA65 should be that, though, and that we ask the
IETF-wide question after the WGLC as part of the normal IESG last call.
I don't think we should be asking the same question for MLDSA65 with the
NIST curves, as we have good deployment of X25519+MLDSA65 already and
little technical advantage to add P*+MLDSA but significant costs in
implementation size and attack code surface.
/Simon
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
