IETF Logo Mail Archive

[saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt

"D. J. Bernstein" <djb@cr.yp.to> Fri, 29 November 2024 14:47 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC5FFC1519B8 for <saag@ietfa.amsl.com>; Fri, 29 Nov 2024 06:47:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sqRceMD3eviP for <saag@ietfa.amsl.com>; Fri, 29 Nov 2024 06:47:07 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id DD5C0C1519B6 for <saag@ietf.org>; Fri, 29 Nov 2024 06:47:06 -0800 (PST)
Received: (qmail 28753 invoked by uid 1010); 29 Nov 2024 14:47:05 -0000
Received: from unknown (unknown) by unknown with QMTP; 29 Nov 2024 14:47:05 -0000
Received: (qmail 1089024 invoked by uid 1000); 29 Nov 2024 14:46:55 -0000
Date: Fri, 29 Nov 2024 14:46:55 -0000
Message-ID: <20241129144655.1089022.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: saag@ietf.org, jay@staff.ietf.org
Mail-Followup-To: saag@ietf.org, jay@staff.ietf.org
In-Reply-To: <E0077799-325E-49D8-A22E-BF173E3F9C81@aiven.io>
Message-ID-Hash: HNLW3DLN76OMGEH6V4MFYIW4F2WGKU5E
X-Message-ID-Hash: HNLW3DLN76OMGEH6V4MFYIW4F2WGKU5E
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/uyDX7SwpaaLU5y-L-qHLNAf2PZU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

Paul Wouters writes:
> D. J. Bernstein <djb@cr.yp.to> wrote:
> > Paul Wouters writes:
> > > The rough consensus is that there is no appetite for NTRUprime.
> > Um, what? There are multiple interoperable NTRU Prime implementations
> > for SSH, plus NTRU Prime implementations for various other protocols.
> > The SSHM WG adopted draft-josefsson-ntruprime-ssh earlier this month:
> i was talking about the IETF, not SSH.

IETF consensus is established only through IETF procedures. It's
interesting to see the juxtaposition between

    * IETF lawyers obviously being increasingly concerned about IETF's
      liability under antitrust law (see RFC 9680; I'm also sending this
      message to an RFC 9680 coauthor for IETF LLC attention) and

    * an AD, after indisputably being informed that a WG has adopted an
      NTRU Prime document, issuing false claims of IETF consensus "that
      there is no appetite for NTRUprime".

Very similar fraud by a committee chair was the reason that ASME,
another standardization organization, ended up paying 4.75 million
dollars in the Hydrolevel court case, the equivalent of about 15 million
dollars today. ASME per se wasn't engaging in fraud; the reason it lost
is that it didn't have sufficient controls in place to prevent the chair
from using the chair's seeming ASME authority to suppress competition.

> > Instead the ADs seem to be _encouraging_ having Kyber as
> > the only post-quantum encryption option.
> That is willful misrepresentation.

You're on record claiming, e.g., that "the cryptographic research
communities are focusing on NIST candidates ... Should the IETF really
recommend a dropped candidate at this stage? I do not think so". The
only PQ encryption mechanism that NIST has standardized is Kyber, so
this do-only-what-NIST-does position is encouraging Kyber as the only PQ
encryption option for IETF too.

You're also on record responding to the Kyber patent mess by claiming,
e.g., that the "process for deciding on cryptography is a separate
process" somehow exempting cryptography from BCP 79. You didn't back
down on this claim even after

    https://mailarchive.ietf.org/arch/msg/saag/pKLdOqJpiyZDIrqJjrFuD65tWUc/

gave a quote from Scott Bradner to the contrary. Ultimately what matters
is that you seem to be letting Kyber specs sail through while throwing
obstacles in the way of other options.

Sure, the future situation might be different if NIST standardizes other
options (as I hope it does) and the ADs start encouraging usage of those
options. My comment was about the current situation.

---D. J. Bernstein

v2.29.0 | Report a Bug | By Email | System Status