[TLS] Re: [EXTERNAL] Re: LS on the work item related to QKD and TLS integration framework in SG13

[John Mattsson]

>The primary reason that psk_ke is unwise for external keys is that we expect 
>those keys to have a long lifespan.

I disagree, the primary reason that psk_ke is unwise for external keys is that 
you should not trust that the provider of the external PSK is honest or not 
compromised. This includes your own systems. The main principle of zero trust 
is that you should always assume breach and limit the impact of breach.

>There are a number of QKD deployments which appear to be in production, 
>including:

Unfortunately yes.

OLD: point out that quantum communication is pure research.
NEW: point out that quantum communication should be pure research

Cheers,
John Preuß Mattsson

From: Eric Rescorla <e...@rtfm.com>
Date: Monday, 23 March 2026 at 16:12
To: John Mattsson <john.matts...@ericsson.com>
Cc: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco....@dmarc.ietf.org>, Salz, Rich 
<rsalz=40akamai....@dmarc.ietf.org>, Andrei Popov 
<Andrei.Popov=40microsoft....@dmarc.ietf.org>, tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Re: [EXTERNAL] Re: LS on the work item related to QKD and 
TLS integration framework in SG13



On Mon, Mar 23, 2026 at 8:03 AM John Mattsson 
<john.matts...@ericsson.com<mailto:john.matts...@ericsson.com>> wrote:
I don’t think that is a good answer.
- I think a reply from TLS should include the technical analysis of their use 
of the TLS protocol. That is why they are writing TLS WG. The only reason of 
not saying that psk_ke for external PSKs  is a very bad choice would be to save 
the face of RFC 8446.

I don't think that this is correct.

The primary reason that psk_ke is unwise for external keys is that we expect 
those keys
to have a long lifespan. If those keys are changed regularly, then this can be
a reasonable choice. In the limit, if you were to establish a new key via
some secure method for each TLS connection, then you would have similar
key lifetime properties to many existing TLS connections.


- I think the Pentagon paper I linked to is a better reference that NSA and 
GCHQ. Pentagon is a user, not a SIGINT. Also, the contact for the Pentagon 
paper is Brita Hale, which most of us know.
- If we refer to QIRC is should be to point out that quantum communication is 
pure research.

I do not think this is correct. There are a number of QKD deployments which 
appear to be in production, including:

https://www.idquantique.com/quantum-safe-security/quantum-key-distribution/#:~:text=ID%20Quantique%20and%20Singtel%20are,Pozna%C5%84%20Supercomputing%20and%20Networking%20Center
https://quantumxc.com/blogs-podcasts/quantum-communications-real-world-applications/#:~:text=Quantum%20Xchange%20is%20currently%20leading,distances%20that%20is%20provably%20secure.

While I think this is a bad idea, that doesn't mean it's pure research.

-Ekr

John

From: Scott Fluhrer (sfluhrer) 
<sfluhrer=40cisco....@dmarc.ietf.org<mailto:40cisco....@dmarc.ietf.org>>
Date: Monday, 23 March 2026 at 15:55
To: Eric Rescorla <e...@rtfm.com<mailto:e...@rtfm.com>>, Salz, Rich 
<rsalz=40akamai....@dmarc.ietf.org<mailto:40akamai....@dmarc.ietf.org>>
Cc: Andrei Popov 
<Andrei.Popov=40microsoft....@dmarc.ietf.org<mailto:40microsoft....@dmarc.ietf.org>>,
 tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>>
Subject: [TLS] Re: [EXTERNAL] Re: LS on the work item related to QKD and TLS 
integration framework in SG13

Minor correction: it's the QIRG (Quantum Internet Research Group), not the QCRG.

________________________________
From: Eric Rescorla <e...@rtfm.com<mailto:e...@rtfm.com>>
Sent: Monday, March 23, 2026 9:50 AM
To: Salz, Rich 
<rsalz=40akamai....@dmarc.ietf.org<mailto:40akamai....@dmarc.ietf.org>>
Cc: Andrei Popov 
<Andrei.Popov=40microsoft....@dmarc.ietf.org<mailto:40microsoft....@dmarc.ietf.org>>;
 tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>>
Subject: [TLS] Re: [EXTERNAL] Re: LS on the work item related to QKD and TLS 
integration framework in SG13

If we must say something, I think it should be more along the lines of this 
statement.

Ekr


On Mon, Mar 23, 2026 at 5:32 AM Salz, Rich 
<rsalz=40akamai....@dmarc.ietf.org<mailto:40akamai....@dmarc.ietf.org>> wrote:


  *
I agree with this. It makes sense to respond, in simple technical terms. Not 
with judgement, not with assumption of ill intent by any parties. Just plain 
technical advice.

Totally agree!

It can be as simple as
      The TLS working group feels that QKD is still too premature to be a 
secure solution to any problem. We note that other organizations also feel this 
way [refs to UKNCSC, NSA if needed]. We are unlikely to do any work in this 
area now. We suggest that you look at the QCRG, in our related organization the 
IRTF, which has active QKD discussions.
_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-le...@ietf.org<mailto:tls-le...@ietf.org>

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org