On Fri, Mar 20, 2026 at 09:13:16PM +0000, John Mattsson wrote:
> I am worried about the ITU-T work on TLS, which seems to significantly lower
> the security.
> https://datatracker.ietf.org/liaison/2141/
I agree that QKD is presently a combination of interesting physics and
commercial snake-oil. That said I'd look to modify the below, with the
aim of making the critique more likely to be accepted as constructive.
>
> I suggest that TLS WG replies as follows:
>
> ----------------------------------
>
> TLS WG is concerned that ITU-T describes QKD as a technology that can
> be practically deployed today. Previous IETF discussions have
> concluded that QKD is not practically secure at present, but may
> become usable in a few decades as a defense-in-depth mechanism for
> point-to-point connections.
>
> QKD implementations today are not practically secure, even for
> point-to-point connections, and are even less suitable over longer
> distances. The concept of “trusted nodes” runs counter to established
> security principles such as zero trust and end-to-end encryption.
> Alarmingly, some QKD and QRNG vendors claim that their products are
> “unbreakable” and that their output can be used directly for
> cryptographic purposes without a CSPRNG or asymmetric cryptographic
> algorithms for key exchange and authentication.
So far, mostly fine, but...
> This is exactly the kind of statements one would expect from a
> hardware vendor secretly influenced by a SIGINT organization.
I don't believe that the above sentence will help to sway those
considering QKD to take a more sceptical position. Instead it
would be more productive to say something along the lines of:
Such marketing claims should not be taken at face value. Rather,
one may concede that in highly specialised point-to-point
deployments QKD-derived keying material might be combined with an
established asymmetric key-agreement scheme to yield a shared secret
that is resilient against attacks, so long as either scheme is
secure.
or some other less inflammatory formulation.
> The TLS WG agrees with the
> direction taken by the Pentagon to not test, pilot, use, or procure
> QKD and PSK-based solutions for quantum resistance, and to phase out
> symmetric key distribution.
> https://dowcio.war.gov/Portals/0/Documents/Library/PreparingForMigrationPQC.pdf
>
> The solution in ITU-T Y.QKD-TL would not enhance the security of TLS;
> it would severely weaken it. ITU-T should recommend migration to
> hybrid key exchange mechanisms such as X25519MLKEM768, which have
> already seen significant deployment.
> https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
> https://radar.cloudflare.com/post-quantum
>
> The use of psk_ke symmetric key distribution significantly weakens the
> security of TLS by removing asymmetric cryptographic algorithms for
> key exchange and authentication. The psk_ke mode was designed for
> constrained IoT environments, is disabled in many TLS libraries, and
> is not suitable for high-security use cases such as critical
> infrastructure. If PSK-based solutions for quantum resistance are
> used, they should follow RFC 8773 (and its revision, 8773bis), which
> retains both certificate-based authentication and ephemeral key
> exchange. This ensures that security is not weakened by the
> introduction of PSK-based mechanisms for quantum resistance.
> https://www.rfc-editor.org/rfc/rfc8773.html
> https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis/
Mind you, given a meticulously operated KDC (not QKD), and robust
distribution of initial keying material when enrolling new nodes in the
KDC database, "psk_ke" may be an adequately secure quantum-resistant
key-establishment mechanism. Of course, in many deployments,
"psk_dhe_ke" is just as practical and at least as secure.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
