Re: [CFRG] Please review draft-ietf-drip-rid

"Riad S. Wahby" <> Fri, 17 September 2021 18:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 916C53A0A3D for <>; Fri, 17 Sep 2021 11:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BE-6z4bbCmL2 for <>; Fri, 17 Sep 2021 11:41:18 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 38BA13A098C for <>; Fri, 17 Sep 2021 11:41:18 -0700 (PDT)
Received: by with SMTP id d18so1040402iof.13 for <>; Fri, 17 Sep 2021 11:41:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=RGj/QwX+GxbyYd/WiZReQU40cX3QDEdI8i1YdS/MgtY=; b=yvu4epN0V8ldEYxXek08Y5MTAY5oxbWLKyOpkUhZ0NbDH52EZ6JC63u6x+rukGgXn1 1v9B5+Z4wETfgVJsMxdDFUGo4k1OaoLgG/6Pswz5dwmjeI3i8Z5X/VwwfhU1FBi4Szep VLkQMWHi6qBsea0WZ3DcaNiBymWU2ZfLhICv52jZw7WPct9eVFbx9I1tRX8fNGdO/7HV Jay9HlqgocoJI2pPozEEyT6GtTchSnBzK0Um+83IZMXCSbRyNV27w/3HnAOefS+aplG7 maPFf5/3OAAnlhA+k4yxZeRPwiDpR/SpIrl9W9jZKiSs9uAFeKlilGGAA38f9F4Mn3zy jKOg==
X-Gm-Message-State: AOAM533l2KNp2vTirvVnRX/5AUYDRKDnosjgm+WfYuQUuGSbQDjQoC11 1y2XXsxp/D5PdxLApTV4FO8=
X-Google-Smtp-Source: ABdhPJzxKooWwYoWmd2hOaCL6xHrnc37KJhUPai0VrC3n0R2amdCxQA5yKsNho7sBEEjGjhCV+Lscg==
X-Received: by 2002:a5d:9499:: with SMTP id v25mr9523923ioj.187.1631904077644; Fri, 17 Sep 2021 11:41:17 -0700 (PDT)
Received: from localhost ( []) by with ESMTPSA id s7sm3794978ioe.11.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 17 Sep 2021 11:41:17 -0700 (PDT)
Date: Fri, 17 Sep 2021 14:41:14 -0400
From: "Riad S. Wahby" <>
To: "Blumenthal, Uri - 0553 - MITLL" <>
Cc: Michael Scott <>, "<>" <>
Message-ID: <20210917184114.4gnz7g4dl7euf5po@kaon.local>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <>
Archived-At: <>
Subject: Re: [CFRG] Please review draft-ietf-drip-rid
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Sep 2021 18:41:20 -0000

Hello Uri,

As I've said privately, I appreciate your position even though
I disagree with it. But this thread seems to be going in a slightly
concerning direction:

"Blumenthal, Uri - 0553 - MITLL" <> wrote:
> While we both understand that I am not a spokesman for such a group,
> as nobody appointed or authorized me to do so – IMHO, this group
> would include all the US Government, all the vendors who sell
> to US Government, and probably same contingent for other countries.

The "some of us" context here was "Ed25519 is not acceptable".

Broadening this to include morally equivalent (PQ-wise) cryptography
(e.g., the NIST curves, ECDSA, ...), it seems pretty clear that the
official position of the US Government is that such cryptosystems
*are* acceptable. After all, they are in-use and recommended.

Perhaps once the current NIST competition concludes we will see a quick
shift to PQ cryptosystems as sole recommendations. But I doubt this
very much: experience tells us that breaking newly deployed and
not-yet-well-understood cryptosystems is much easier than building
crypto-threatening quantum computers.

So: I do not think it is correct to claim the USG and its subsidiaries
as ideological allies here.

But I'm not sure this matters much either way, because:

> Mike Scott wrote:
>> I for one would be interested in just how extensive this "some of
>> us" group is. In the interests of transparency I think they should
>> step forward and identify themselves. It is a view I respect, but
>> personally disagree with.
> Sure. Though be aware that only a tiny fraction of the above appears
> present here, and I can’t speak even for them.

With respect, this appears to be non sequitur. The question was how
many people would be likely to shoot down new non-PQ proposals:

>> If people in good faith are willing to make major efforts to put
>> forward proposals to this forum, it would only be fair for them
>> to be aware of the extent of that grouping who would reject such
>> proposals out-of-hand.

From that perspective, the only relevant people are those who participate
or who are likely to participate in discussing those proposals.

> Also, please consider that from the common-sense point of view,
> if the security concern I expressed is valid – the number of people
> or organizations who share it is irrelevant. So far, there has been
> no way to either prove or disprove convincingly this concern. And
> we’ve been erring on the side of caution pretty much everywhere
> else – so, why not here?

This argument does not seem productive: essentially all cryptography
is based on hardness assumptions that have not been proved or disproved
(and, given our current knowledge, seem unlikely to be). If we accept
the above argument, the logical conclusion seems to be "disband CFRG".