66 points by SuperSandro20005 days ago | 32 comments
How to play: Some comments in this thread were written by AI. Read through and click flag as AI on any comment you think is fake. When you're done, hit reveal at the bottom to see your score.got it
This is not an unbiased article about the situation unfolding on the TLS Working Group mailing list; this is a call to action to join one specific side of the argument that has been ongoing for over a year now. It's an appeal to authority, an attempt to garner support for one side of the debate simply because DJB says so, as part of his effort to flood the zone with messages in opposition.
This tactic is explicitly called out in RFC 7282, and named as a "degenerate", "pathological", and "dysfunctional" state for the working group to be in. Shame on DJB for attempting to drive the working group into terminal dysfunction.
This has been discussed before, and I believe the general consensus is that djb's objections don't make sense. The Key Material blog addresses this in a very good larger ML-KEM mythbusting post: https://keymaterial.net/2025/11/27/ml-kem-mythbusting/#:~:te...
Clicking around I don't see any "nsa.gov" email addresses for the positions this site says are from the NSA. Have I just missed some things that are clearly from the NSA? If not, how would one know that these various academic and personal email addresses have some kind of NSA tie?
What exactly is the problem with the IETF publishing a standard that's theoretically weaker than another standard? They're not forcing anyone to use it, right?
Why do they forcibly retire weak algorithms? I think it does matter if half of SaaS services you use could be forcibly using them for your data and in some cases you might be a serious target mixed in among less serious targets.
Ran a small SaaS for years. If we're stuck supporting some legacy algorithm forever because "someone might still need it," that's real maintenance cost on our end, and it becomes the weak link attackers go for. Forced deprecation is annoying but keeps us from being the excuse.
Try pulling 3DES out of the cipher list at a place with 15 year old vendor hardware still in prod. You'll get a change request denied and a very angry phone call by 3am.
Its called downgrade attacks, they are very bad, and they are caused by weak standards still being used. 3DES shouldn't be used anymore, but it is in the list of an acceptable cipher, so there goes the security out the window.
3DES being on a list doesn't cause anyone to downgrade to it though, that requires a protocol flaw or a client that negotiates weakest-cipher. The actual downgrade risk here would be an implementation silently accepting the weaker KEM, not the standard merely existing on paper.
this is not an accurate picture of what is happening. Hybrid KEMs are already widely supported within the IETF, and are supported in an RFC with "recommended to implement = yes".
This is about a separate RFC with "recommended to implement = no".
If the IETF was trying to have these positions swapped, it would be consistent with DJBs post. It is not though. His post does not seem to be grounded in reality.
I'm not sure this is as clear-cut as the article implies, but there is certainly a whiff of people behaving badly.
The latest post to the list, as of this post, is supporting the anti-ecdhe side, with the reasoning being that there is no code written for ecdhe, which is obviously stretching the truth beyond reasonable doubt.
For those who don't know, djb is both highly regarded as a cryptographer and known to be something of a crank. (The former part is the only reason this is getting any attention.) Frankly, I don't know what's gotten into him.
The linked piece is not representative of the broader cryptography community. ML-KEM is fine.
What would you say about his critique that simply ditching double-encryption is a bad idea? That seems like a fair point embodying a belt and suspenders approach.
Has anyone actually stress-tested the "just ditch double-encryption" claim against a real downgrade scenario, or is this all theoretical? If ML-KEM has a flaw we haven't found yet, belt-and-suspenders costs almost nothing compared to what a single-point failure costs.
The use of dual algorithms is without doubt the prudent decision for a transition period.
ML-KEM is still too new for anyone to be able to claim that no way to break it will be discovered in the next few years.
This is supported by the fact that one of the algorithms previously proposed for standardization has already been broken, which was a surprise.
Because ML-KEM is significantly more expensive than the current algorithm, using both does not increase much the cost.
The arguments of DJB are perfectly valid, which is why at the previous meeting most people have voted like him.
I know very well everything that DJB has published during the last 30 years, many of which have been important advances in cryptography. Some of his work has been very influential in the development of "post-quantum" cryptography and he was one of the main promoters of the idea that such cryptographic algorithms must be standardized ASAP.
Moreover, I have also run continuously on my servers, 24/7, for about a quarter of century, various programs written by DJB, which unlike the majority of the programs that I have ever seen, have done very well whatever they were intended to do, without ever needing any updates for security problems or other bugs. Very few programmers, even among the best, can present such a resume.
I do not believe that "crank" is the right word to describe DJB. It is true that he has distinguished himself by an unwillingness to accept compromises, even when he was for various reasons in opposition with the US government, but I do not think that this is crazy. On the contrary, I believe that the world is how it is right now precisely because most people go with the flow and they are eventually willing to accept almost anything when opposing that appears to be too difficult. Things would have been much better if there had been more such "cranks".
Forming a (imo particularly rancid conspiracy brained) social media rage campaign to get a bunch of new people to inject themselves into cryptography space is... a move.
Maybe giving this thread more visibility here than it wants but ...
The NSA and NIST can never be trusted. They have sabotaged things before, and it is par for the course for them. The formation of standards and defaults should never be left to them.
This tactic is explicitly called out in RFC 7282, and named as a "degenerate", "pathological", and "dysfunctional" state for the working group to be in. Shame on DJB for attempting to drive the working group into terminal dysfunction.