NSA and IETF, part 3: Dodging the issues at hand

Original Article ↗ Hacker News Discussion ↗

DJB’s reputation and communication style

  • Commenters widely respect his technical work (Curve25519, ChaCha, implementation safety) and earlier civil-liberties wins, but many find his current blog voice caustic, paranoid, and “crackpot‑adjacent.”
  • Several argue that heavy sarcasm, accusations of bad faith, and personal attacks undermine otherwise serious technical points and make collaborators less willing to engage.
  • Others defend his belligerence as principled consistency against government overreach and standards corruption.

Core crypto dispute: ML‑KEM vs ECC and hybrids

  • One camp: ECC is well-understood and unbroken; ML‑KEM (Kyber) is newer, less scrutinized, and may still lose significant security margin as attacks improve.
  • They argue for “hybrid” key exchange (ECC + PQ) as the default, and view a pure‑ML‑KEM TLS mode as an unnecessary, risky option.
  • Another camp: lattice cryptography has decades of work, Kyber weathered an open NIST competition, and pure ML‑KEM modes are acceptable, especially where policy (e.g., US CNSA 2.0) requires them.

Backdoors, NSA, and trust

  • Skeptics point to DES key‑size changes, Dual_EC_DRBG, Crypto AG, and Snowden documents as evidence the NSA has influenced standards to enable NOBUS backdoors.
  • They see an NSA‑favored, non‑hybrid ML‑KEM profile as potentially another such move, and argue it deserves “hair‑on‑fire” scrutiny.
  • Others counter that Kyber was designed by an academic team, not the NSA; no clear “weird‑constant” backdoor story exists; and assuming every NSA‑supported algorithm is backdoored is unwarranted.

Implementation and side‑channel concerns

  • Several highlight that early Kyber/ML‑KEM code, including reference and major libraries, had timing side‑channel flaws; this is used to argue the scheme is hard to implement safely.
  • Parallel drawn to NIST P‑curves: mathematically fine but historically tricky to implement without leaks; contrast made with designs intentionally shaped for safer constant‑time code.
  • Others reply that implementation bugs are normal, get fixed faster once a standard exists, and don’t by themselves justify blocking standardization.

IETF “rough consensus” and process fight

  • There is a major argument over whether a 20+2 vs 7 vote constitutes “rough consensus.”
  • Some say 2:1 or 3:1 majorities are standard in other committees; others insist consensus != majority and that serious, reasoned technical objections (backed by multiple people) must be resolved, not outvoted.
  • Debate over “rules‑lawyering”: one side sees strict appeals to written process as obstruction; the other sees ignoring clear rules and objections as procedural corruption.

Scope and impact of the ML‑KEM‑only TLS draft

  • Supporters emphasize: the draft just defines how to use ML‑KEM with TLS; it doesn’t ban hybrids or other PQ schemes, and code points already exist. Clients can simply not enable the pure‑ML‑KEM ciphersuite.
  • Critics respond that once something is standardized, governments and large vendors often treat it as a required or default choice, creating downgrade and policy pressure.
  • Some argue the “seatbelt” analogy: standardizing a weaker/non‑hybrid option alongside safer hybrids is like standardizing cars both with and without seatbelts.

Procedural conduct and bans

  • Multiple comments criticize both sides: DJB for accusing chairs and area directors of corruption/NSA collusion, and IETF leadership for appearing to stonewall his appeal and (in related contexts) using bans rather than squarely addressing the technical objections.
  • Viewpoints split between seeing him as a necessary, if abrasive, watchdog, and seeing him as someone sabotaging the process when it doesn’t go his way.

Broader context: hybrid recommendations

  • References are made to German and French government guidance explicitly favoring hybrid (classical + PQ) key exchange because PQ primitives are not yet as well vetted.
  • This is cited by critics as evidence that non‑hybrid ML‑KEM shouldn’t be promoted as a first‑class, standalone option for the general internet, even if some government profiles demand it.