NSA and IETF, part 3: Dodging the issues at hand
9 hours ago
- #post-quantum cryptography
- #IETF controversy
- #TLS standardization
- Deployment of post-quantum cryptography (PQ) in TLS involves standardizing ECC+PQ, but IETF is also pushing a non-hybrid PQ option, raising concerns.
- IETF's TLS working group faced controversy over adopting an NSA-driven non-hybrid PQ document, with objections ignored despite lack of consensus.
- The IETF chairs and area director misrepresented consensus numbers, shifting from 'consensus' to 'rough consensus' to justify adoption.
- Security arguments for ECC+PQ were dismissed, with the area director downplaying risks of non-hybrid PQ and misrepresenting objections.
- The area director's evaluation favored the document, ignoring procedural flaws and focusing on personal opinions rather than consensus.
- Concerns about human factors, such as purchasing managers favoring standardized but insecure options, were overlooked.
- The area director's claims about international reliance on NIST's PQ standards were debunked, showing other countries considering alternatives.
- The conclusion that 'rough consensus' existed was based on flawed reasoning and ignored the actual lack of agreement in the working group.