Daniel J. Bernstein1d ago
The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.
Show threadARGVMI~1.PIF1d ago

@djb

Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.

Show threadDaniel J. Bernstein1d ago

@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.

Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.

Show threadrsalz1d ago
@darkuncle Sorry to see you promoting this. He's done great work, but this whole thread is crazy conspiracy thinking.
Show threadScott Francis1d ago

@rsalz DJB sees a conspiracy where one may not exist ... but has a history of seeing one where it did very much in fact exist.

I think cryptographers erring on the side of extreme caution is a net benefit (and his points about unjustified and unexplained foot-dragging and resistance on Classic McEliece adoption have been well documented)

Show threadPaul_IPv6

@darkuncle @rsalz

DJB has always been touchy and can really get into the weeds on some conspiracy theory. really smart guy but i tend to take his rants with a heavy grain of salt.

it's been this way since early usenet days.

Apr 10 at 10:42pmWeb
Show threadScott Francis1d ago
@paul_ipv6 @rsalz as they say, just because you're paranoid doesn't mean they aren't after you. :)