47 pointsby SuperSandro20005 hours ago9 comments
  • phasmantistes13 minutes ago
    This is not an unbiased article about the situation unfolding on the TLS Working Group mailing list; this is a call to action to join one specific side of the argument that has been ongoing for over a year now. It's an appeal to authority, an attempt to garner support for one side of the debate simply because DJB says so, as part of his effort to flood the zone with messages in opposition.

    This tactic is explicitly called out in RFC 7282, and named as a "degenerate", "pathological", and "dysfunctional" state for the working group to be in. Shame on DJB for attempting to drive the working group into terminal dysfunction.

  • miloignis11 minutes ago
    This has been discussed before, and I believe the general consensus is that djb's objections don't make sense. The Key Material blog addresses this in a very good larger ML-KEM mythbusting post: https://keymaterial.net/2025/11/27/ml-kem-mythbusting/#:~:te...
  • galadran12 minutes ago
    This is garbage from start to finish.

    There are already codepoints assigned for MLKEM 512/768/1024 (0x0200, 0x0201, 0x0202) and nearly every major library supports it already:

      - OpenSSL (ML-KEM-512/768/1024)
      - BoringSSL (ML-KEM-1024)
      - NSS (ML-KEM-1024)
      - AWS-LC (ML-KEM-512/768/1024)
      - Rustls (ML-KEM-768/1024)
      - s2n-tls (ML-KEM-1024)
      - Bouncy Castle (ML-KEM-512/768/1024)
      - Botan (ML-KEM-512/768/1024)
      - GnuTLS (ML-KEM-768/1024)
      - WolfSSL (ML-KEM-512/768/1024)
  • Ajedi3220 minutes ago
    What exactly is the problem with the IETF publishing a standard that's theoretically weaker than another standard? They're not forcing anyone to use it, right?
    • mswphd10 minutes ago
      The IETF has published the russian TLS 1.2 standard (RFC 9189). This includes Kuznyechik, which is has a certain design choice consistent with it being backdoored.

      https://en.wikipedia.org/wiki/Kuznyechik#Cryptanalysis

      (the work by Perrin that is mentioned is what I'm referring to).

      The (pure) mlkem standard is also marked "recommended to implement = No". people are interested in implementing it. The IETF can't change that. They can try to ensure such implementations are interoperable though.

    • kokonuts11 minutes ago
      Why do they forcibly retire weak algorithms? I think it does matter if half of SaaS services you use could be forcibly using them for your data and in some cases you might be a serious target mixed in among less serious targets.
    • downrightmike9 minutes ago
      Its called downgrade attacks, they are very bad, and they are caused by weak standards still being used. 3DES shouldn't be used anymore, but it is in the list of an acceptable cipher, so there goes the security out the window.
  • advisedwangan hour ago
    Clicking around I don't see any "nsa.gov" email addresses for the positions this site says are from the NSA. Have I just missed some things that are clearly from the NSA? If not, how would one know that these various academic and personal email addresses have some kind of NSA tie?
    • mswphd3 minutes ago
      DJB has for years claimed anyone who disagrees with him is affiliated with the NSA. See for example this post as part of the NIST-PQC competition

      https://blog.cr.yp.to/20220805-nsa.html

      > Some people seem to be unable to rationally consider the possibility that NSA is sabotaging post-quantum cryptography. I've heard people saying, for example, that submissions to the NIST Post-Quantum Cryptography Standardization Project (NISTPQC) were publicly designed and evaluated by top experts, and that NSA can't have bribed the submission teams. > > Let's look at the facts.

      Note that the authors of ML-KEM are overwhelming European.

    • mcpherrinm6 minutes ago
      The underlying context is the US government only wants to buy systems which support pure post-quantum cryptography for use on top-secret networks, as part of the requirements of (via its Commercial National Security Algorithm Suite 2.0 standard).

      So all the companies who want to sell anything using TLS to the government want to standardize this, so they can be CNSA2 compliant.

      Everyone already supports this in major libraries; but some folks feel they need an IETF RFC specifying it.

      (I don't have to comply with CNSA2 so I might have details slightly off)

    • axus20 minutes ago
      The inexplicable behavior is indistinguishable from behavior that could be explained by a conspiracy.
    • iAMkenough36 minutes ago
      I don’t think the spy agency would use nsa.gov address to manipulate the technology trajectory.
      • advisedwang32 minutes ago
        Of course, but is there any actual evidence that these accounts are NSA related? Or is it an assumption because they are supporting the proposal (which would be very circular logic)
  • phyzome6 minutes ago
    For those who don't know, djb is both highly regarded as a cryptographer and known to be something of a crank. (The former part is the only reason this is getting any attention.) Frankly, I don't know what's gotten into him.

    The linked piece is not representative of the broader cryptography community. ML-KEM is fine.

  • sharpshadowan hour ago
    “Surveillance agency NSA and its partner GCHQ are trying to have standards-development organizations endorse weakening ECC+PQ down to just PQ.”[0]

    That’s pretty weak just stripping down the hybrid approach.

    0. https://blog.cr.yp.to/20251004-weakened.html

    • mswphda few seconds ago
      this is not an accurate picture of what is happening. Hybrid KEMs are already widely supported within the IETF, and are supported in an RFC with "recommended to implement = yes".

      This is about a separate RFC with "recommended to implement = no".

      If the IETF was trying to have these positions swapped, it would be consistent with DJBs post. It is not though. His post does not seem to be grounded in reality.

  • realxrobau2 hours ago
    I'm not sure this is as clear-cut as the article implies, but there is certainly a whiff of people behaving badly.

    The latest post to the list, as of this post, is supporting the anti-ecdhe side, with the reasoning being that there is no code written for ecdhe, which is obviously stretching the truth beyond reasonable doubt.

  • jauntywundrkind17 minutes ago
    Forming a (imo particularly rancid conspiracy brained) social media rage campaign to get a bunch of new people to inject themselves into cryptography space is... a move.

    Maybe giving this thread more visibility here than it wants but ...

    https://bsky.app/profile/filippo.abyssdomain.expert/post/3mp...

    (Personally it seems so so unacceptable to me to accuse so many good hardworking people of such bitter conspiracy.)