On Wed, Apr 22, 2026 at 1:40 PM Eric Rescorla <[email protected]> wrote:
> On Wed, Apr 22, 2026 at 10:23 AM David Benjamin <[email protected]> > wrote: > >> Even with Merkle Tree Certificates, we actually still need this document >> anyway for the end-entity TLS key, and the CertificateVerify signature it >> generates. >> > > As well as for the standalone certificates, right? > Both standalone certificates and landmark-relative certificates will need this document if we want them to authenticate an ML-DSA end-entity TLS key, and for that TLS key to generate an ML-DSA CertificateVerify. Neither of them need this draft for any of the X.509 signatures because, even standalone ones. At least as currently written, the X.509-level signature for both is an MTC-specific one, and TLS SignatureScheme codepoints don't get applied individual cosignatures. (Why it looks like that is a whole topic in itself, but I'll refrain from diving into that because we're now getting very distracted from the topic at hand. :-D) David > -Ekr > > >> >> (I support publication, but I think I've said as much on this thread >> already.) >> >> On Wed, Apr 22, 2026 at 1:14 PM Soatok Dreamseeker < >> [email protected]> wrote: >> >>> I've been working since 2024 on a proposal for Key Transparency for the >>> Fediverse, as part of an overall goal to ship E2EE for private messages >>> sent over Mastodon and other Fediverse software. My proposal uses pure >>> ML-DSA. No composite/hybrid signatures. But my KEM recommendation remains >>> hybrid-first. >>> >>> And, although I think Merkle Tree Certificates are a more realistic way >>> to get post-quantum auth into TLS than shoving ML-DSA into the incumbent >>> design, I support the publication. Just because it's published doesn't mean >>> I have a gun held to my head to actually use it. I wish more of the people >>> raising objections would consider this important fact. >>> >>> On Wed, Apr 22, 2026 at 10:43 AM Sean Turner <[email protected]> wrote: >>> >>>> Reminder that this WGLC ends tomorrow. >>>> >>>> spt >>>> >>>> > On Apr 15, 2026, at 15:07, Sean Turner <[email protected]> wrote: >>>> > >>>> > Reminder that this WGLC is still ongoing. >>>> > >>>> > spt >>>> > >>>> >> On Apr 9, 2026, at 15:30, Sean Turner <[email protected]> wrote: >>>> >> >>>> >> This is the working group last call for Use of ML-DSA in TLS 1.3. >>>> Please review draft-ietf-tls-mldsa [1] and reply to this thread indicating >>>> if you think it is ready for publication or not. If you do not think it is >>>> ready please indicate why. This call will end on April 23, 2026. >>>> >> >>>> >> REMINDER: If you have not done so recently, review the TLS WG's Mail >>>> List Procedures; see [2]. >>>> >> >>>> >> The Chairs, >>>> >> Deirdre, Joe, and Sean >>>> >> >>>> >> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-mldsa/ >>>> >> [2] >>>> https://mailarchive.ietf.org/arch/msg/tls/ucdImHExlbOf4Q3BCG81gjzi2xE/ >>>> > >>>> >>>> _______________________________________________ >>>> TLS mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> >>> _______________________________________________ >>> TLS mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> >> _______________________________________________ >> TLS mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
