I can only add my agreement with John’s points.
-- V/R, Uri From: John Mattsson <[email protected]> Date: Friday, March 20, 2026 at 17:14 To: <[email protected]> Cc: Scott Mansfield <[email protected]> Subject: [EXT] [TLS] LS on the work item related to QKD and TLS integration framework in SG13 This Message Is From an External Sender This message came from outside the Laboratory. Hi, I am worried about the ITU-T work on TLS, which seems to significantly lower the security. https://datatracker.ietf.org/liaison/2141/ <813de31c-a79a-4fc5-b3d2-b0b914216dd7> I suggest that TLS WG replies as follows: ---------------------------------- TLS WG is concerned that ITU-T describes QKD as a technology that can be practically deployed today. Previous IETF discussions have concluded that QKD is not practically secure at present, but may become usable in a few decades as a defense-in-depth mechanism for point-to-point connections. QKD implementations today are not practically secure, even for point-to-point connections, and are even less suitable over longer distances. The concept of “trusted nodes” runs counter to established security principles such as zero trust and end-to-end encryption. Alarmingly, some QKD and QRNG vendors claim that their products are “unbreakable” and that their output can be used directly for cryptographic purposes without a CSPRNG or asymmetric cryptographic algorithms for key exchange and authentication. This is exactly the kind of statements one would expect from a hardware vendor secretly influenced by a SIGINT organization. The TLS WG agrees with the direction taken by the Pentagon to not test, pilot, use, or procure QKD and PSK-based solutions for quantum resistance, and to phase out symmetric key distribution. https://dowcio.war.gov/Portals/0/Documents/Library/PreparingForMigrationPQC.pdf <c1a516e3-37b1-46a9-8624-5f40c80c893a> The solution in ITU-T Y.QKD-TL would not enhance the security of TLS; it would severely weaken it. ITU-T should recommend migration to hybrid key exchange mechanisms such as X25519MLKEM768, which have already seen significant deployment. https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ <505f576d-3559-4585-85f8-9a5eb8bbe161> https://radar.cloudflare.com/post-quantum <b5ec36f0-6b10-45c0-a989-0db0a60a3393> The use of psk_ke symmetric key distribution significantly weakens the security of TLS by removing asymmetric cryptographic algorithms for key exchange and authentication. The psk_ke mode was designed for constrained IoT environments, is disabled in many TLS libraries, and is not suitable for high-security use cases such as critical infrastructure. If PSK-based solutions for quantum resistance are used, they should follow RFC 8773 (and its revision, 8773bis), which retains both certificate-based authentication and ephemeral key exchange. This ensures that security is not weakened by the introduction of PSK-based mechanisms for quantum resistance. https://www.rfc-editor.org/rfc/rfc8773.html <6924543b-3cc8-41f1-9720-f30cd02650e2> https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis/ <9061bb30-dfce-48d2-a9d1-bbf1e415269a> ---------------------------------- Cheers, John Preuß Mattsson
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
