Daniel J. Bernstein18h ago
The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.
Show threadARGVMI~1.PIF18h ago

@djb

Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.

Show threadDaniel J. Bernstein17h ago

@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.

Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.

Show threadrsalz17h ago
@darkuncle Sorry to see you promoting this. He's done great work, but this whole thread is crazy conspiracy thinking.
Show threadDaniel J. Bernstein16h ago
@rsalz @darkuncle You think https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf is a conspiracy theory?
Show threadrsalz15h ago
@djb @darkuncle no I do not, but that does not mean that the NSA is corrupting the IETF.
Show threadDaniel J. Bernstein
@rsalz @darkuncle Let me see if I understand. You're agreeing that NSA has a large budget to sabotage "standards and specification for commercial public key technologies" etc., but you presume that this doesn't include IETF, since the document doesn't _specifically_ name IETF? Also, just checking: by the same logic, you presume that this doesn't include ISO? NIST? IEEE? When we recommend proactive steps to protect SDOs against sabotage, you accuse us of being crazy conspiracy theorists?
12:24amWeb
Show threadrsalz14h ago
@djb @darkuncle I presumed nothing. Read what I wrote. Twisting words to win an argument. Your better than this Dan.
Show threadPaul Hoffman14h ago
@rsalz @djb Do you have any evidence of that last statement, Rich?
Show threadDaniel J. Bernstein13h ago
@rsalz @darkuncle You wrote "this whole thread is crazy conspiracy thinking" but I'm unable to figure out what you're disputing, i.e., what specifically you're claiming is a conspiracy theory. You _don't_ seem to be questioning the authenticity of https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf, an internal NSA document on NSA's massive budget to weaken "standards and specification for commercial public key technologies" etc. so as to make those "exploitable". What, then, _are_ you disputing?
Show threadARGVMI~1.PIF11h ago

@rsalz

Do you have another explanation for the inexplicable push for the IETF to specify non-hybrid ML-KEM?

I looked at the list of arguments compiled by @djb at https://blog.cr.yp.to/20260221-structure.html and I don't see any particularly compelling argument in favor of such a move. Nor can I think of one myself. Certainly nothing to justify going full speed ahead like this.

@darkuncle