Daniel J. Bernstein2d ago
The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.
Show threadARGVMI~1.PIF2d ago

@djb

Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.

Show threadDaniel J. Bernstein2d ago

@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.

Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.

Show threadrsalz2d ago
@darkuncle Sorry to see you promoting this. He's done great work, but this whole thread is crazy conspiracy thinking.
Show threadDaniel J. Bernstein2d ago
@rsalz @darkuncle You think https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf is a conspiracy theory?
Show threadrsalz2d ago
@djb @darkuncle no I do not, but that does not mean that the NSA is corrupting the IETF.
Show threadDaniel J. Bernstein2d ago
@rsalz @darkuncle Let me see if I understand. You're agreeing that NSA has a large budget to sabotage "standards and specification for commercial public key technologies" etc., but you presume that this doesn't include IETF, since the document doesn't _specifically_ name IETF? Also, just checking: by the same logic, you presume that this doesn't include ISO? NIST? IEEE? When we recommend proactive steps to protect SDOs against sabotage, you accuse us of being crazy conspiracy theorists?
Show threadrsalz
@djb I am glad your work on cryptography is better than your comprehension of what I write. "you presume this doesn't include the IETF since the document doesn't _specifically_ name the IETF." Ye gods man, read it again.
Apr 12 at 4:11pmWeb
Show threadDaniel J. Bernstein14h ago
@rsalz You aren't challenging the authenticity of https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf on NSA's massive budget to "covertly influence and/or overtly leverage" cryptography including "standards and specification for commercial public key technologies" to make all of this "exploitable". But, when there's an effort to protect IETF against such sabotage, you claim that "this thread is crazy conspiracy thinking". I ask you to say what exactly you're claiming is a conspiracy theory, and you seem unable to answer.
Show threadDaniel J. Bernstein14h ago
@rsalz Your response to the NSA budget document was "that does not mean that the NSA is corrupting the IETF". This _sounds_ to me like you're saying: well, yeah, NSA has a huge budget to attack standards and specs, but imagining that they're specifically attacking IETF is "crazy conspiracy thinking". I tried asking whether this is what you meant; you said no. Um, okay, then what exactly _are_ you claiming is "crazy conspiracy thinking"? (Edit: corrected quote "theory" -> "thinking".)