Dear John I am sorry for answering only now, and I thank you for your genuine and open message. About the conference you mention, this was organized mostly by CEN-CENELEC, myself I work and follow discussions at a more fundamental level. But one of the “maps” that you mention actually had IETF on the side of the map ! or at least I remember this was indeed the case.
I hope the IETF meeting on the week 14-20/03 was constructive. My engagement and statements – in my personal capacity - on the overall discussion on (pure)ML-KEM are clear and I do not want to express again what I already expressed. I also see the conversation has evolved, with also new interesting threads, and I am still catching up with everything. Nevertheless, the evidence remains, it is left here in writing and speaks by itself: the objections raised by many express fundamental concerns, and these are beyond editorial changes. In my personal view still time has to pass before starting discussions on pure ML-KEM. And waiting this time would be perfectly legitimate. Dealing now with such objections via a discussion about editorial changes may well seem – or at least this is what seems to me – to chase a wishful thinking/idea of “rough consensus”. Thank you all for the fruitful discussion Fabiana From: John Mattsson <[email protected]> Sent: Monday, March 16, 2026 10:16 AM To: DA PIEVE Fabiana (CNECT) <[email protected]>; [email protected] Subject: Encouraging European Commission Engagement with the IETF Dear Fabiana, It made me very happy to see the European Commission engaging directly with the IETF. As you know, the IETF is by far the most important standards development organization for security protocols, such as TLS, DTLS, QUIC, IKEv2, ESP, SRTP, SSH, OAuth, JOSE, COSE, CMS, EAP, PKIX, OCSP, MLS, OSCORE, and EDHOC, and is arguably also the most influential SDO for cryptography itself. The IETF/IRTF has specified a large number of foundational cryptographic algorithms and constructions, including HMAC, HKDF, TurboSHAKE, KangarooTwelve, CCM, OCB, ChaCha20‑Poly1305, SIV, GCM‑SIV, AEGIS, X25519, X448, Ed25519, Ed448, ristretto255, decaf448, Brainpool curves, SAKKE, LMS, XMSS, PKCS #1 (RSA 2.2), RSA blind signatures, ECCSI, MODP, FFDHE, PBKDF2, Argon2, OPAQUE, OPRFs, and VRFs, many of which have later been adopted by NIST and ISO. IETF security protocols and cryptographic specifications are absolutely essential for European industry. Against this background, I was somewhat concerned by a recent presentation from ENISA at the 10th Cybersecurity Standardisation Conference, where the IETF did not appear at all on the map of relevant cybersecurity standards. This made it especially encouraging to see the European Commission engaging directly with the IETF. Cheers, John Preuß Mattsson From: DA PIEVE Fabiana <[email protected]<mailto:[email protected]>> Date: Thursday, 26 February 2026 at 05:22 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [TLS] Re: [EXT] Re: WG Last Call: draft-ietf-tls-mlkem-05 (Ends 2026-02-27) You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://urldefense.com/v3/__https:/aka.ms/LearnAboutSenderIdentification__;!!DOxrgLBm!BE68o8FCodsNNhKncLIaL-cRbqpGgmHpq1WUG1U-a8bl26vRif_IoJBSd3ZJGL9jgkIK8LQTWiDM24XGr28d7K4wZfUwVNfvZr4D19l83g$> Dear Dr. Blumenthal I catch up here given that anyway your recent answer to my concerns is also related to this thread and as per Toerless’ advice it would be better to have this discussion here. Admittedly your answer (reported here below) was not addressing my concerns. A hybrid still has a chance of being secure if old good crypto would be successfully attacked, so your argument does not stand. More in general, about the perception of risk, I do not see the reason why to have an optimistic attitude when it is about security. Actually, in security the right attitude towards risk is to be “short and mid-term pessimistic” (with the long-term to be defined), and I think that in a transition phase (which will likely last longer than we may think) this is indeed the appropriate attitude to have. To build confidence in RSA took 20 years or more. I do not expect that PQC will have such a remarkably different path. Not sure fragmenting options is wise now, neither for security (first obvious reason) nor for the market. Thanks for your kind attention Fabiana [TLS] Re: [EXT] Re: Fwd: New Version Notification for draft-barnes-tls-this-could-have-been-an-email-00.txt "Blumenthal, Uri - 0553 - MITLL" <[email protected]<mailto:[email protected]>> Wed, 25 February 2026 17:10 UTCShow header<https://urldefense.com/v3/__https:/mailarchive.ietf.org/arch/msg/tls/pdo-kN5ynLXpOxC55mZxQot7LZo/__;!!DOxrgLBm!BE68o8FCodsNNhKncLIaL-cRbqpGgmHpq1WUG1U-a8bl26vRif_IoJBSd3ZJGL9jgkIK8LQTWiDM24XGr28d7K4wZfUwVNfvZr5EjPY9Mw$> Because the common good sense says that the assurance of the ‘“old” good crypto’ is over, which is the whole point of this exercise. When your data has a long life - only PQ part matters, otherwise it’s just whether it will be compromised even sooner. When your data is short-lived - you don’t need the PQ part, and may not care if it’s present, weak, or whatever. — Regards, Uri Secure Resilient Systems and Technologies MIT Lincoln Laboratory > On Feb 25, 2026, at 11:50, DA PIEVE Fabiana > <[email protected]<mailto:[email protected]>> > wrote: > > > This Message Is From an External Sender > This message came from outside the Laboratory. > In my personal capacity, I have to say that in all this discussion it is not > clear to me yet the main issue - the reason why we would go for a path that > is not based on a common good sense, by removing the assurance of security > given by “old” good crypto. This adds up to the fact that the cost of keeping > it is actually cheap, and to the fact that an outstanding work has been done > already to deploy hybrid ML-KEM in TLS. Hybrid ML-KEM is such a cheap way to > reduce risks. So, overall, I still cannot crystallize in my head what is the > advantage in security and costs in throwing away ECC and how to reconcile > this with what is pushed in my own part of the world. Not sure what would be > the advantage in fragmenting things now. I would like to invite all EU > researchers or anyway all those with whom I am contact to write to me to help > me increasing my understanding of the exceptional need for all this, and > eventually share their technical concerns, to see if they overlap with mine, > in case you would have time and you would be willing to do so. I thank > everybody here for the discussion. > > Fabiana Da Pieve > Program Manager > European Commission > DG Communications Networks, Content and Technology > Unit C4 – Emerging & Disruptive Technologies Fabiana Da Pieve Program Manager [cid:[email protected]] European Commission DG Communications Networks, Content and Technology Unit C4 – Emerging & Disruptive Technologies
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
