I'm adding an RFC 9680 coauthor to the To line to request IETF LLC
attention to the antitrust issues here.
Scott Fluhrer (sfluhrer) writes:
> There are people whose cryptographic expertise I cannot doubt who say
> that pure ML-KEM is the right trade-off for them
Please note that antitrust law forces standardization organizations to
follow procedures that prevent anti-competitive activities. Here's an
introduction to the topic from the American Bar Association:
https://www.google.com/books/edition/Handbook_on_Antitrust_Aspects_of_Standar/zin5tgAACAAJ
Having a company influencing IETF decisions by making claims about what
customers are demanding---with no explanation of _why_ those demands are
being made, and no opportunity for IETF review of the merits of those
rationales---is exposing IETF to antitrust litigation. Even if the
specific incident at hand isn't meant to suppress competition, it shows
that IETF doesn't have the requisite procedural protections in place, so
it provides evidence helpful for _anyone_ who decides to sue IETF about
_any_ standardization topic.
As a side note, the "could still be construed as representing their
employer" part of RFC 9680 is certainly triggered by a message that's
adding weight to its argument by explicitly invoking the company's name
(in this case: "Cisco will implement it").
> I am essentially just asking for code points.
Hmmm. If the only request were for allocation from an open namespace
(which apparently has been done already), then why make claims about the
supposed desirability of omitting normal hybrid defenses? I also don't
see how the collective-action text ("I understand that people want to
discuss the hybrid KEM draft more (because there are more options there)
- can we at least get the less controversial part done?") can be
interpreted as merely an administrative allocation request. One followup
said "Can we start an adoption call?" and another said "+1".
Furthermore, email dated 24 Oct 2024 03:15:38 +0000, in the analogous
context of ML-DSA, said that "Cisco" has "some customers who want ML-DSA
only", and concluded that "we'll end up standardizing" that.
The ML-DSA discussion sounded like some people think that NSA refuses to
authorize U.S. government purchasing of hybrids (outside some special
circumstances). I asked whether that's true---whether NSA has in fact
banned hybrids. I quoted an official NSA statement saying "hybrid
solutions may be allowed or required due to protocol standards, product
availability, or interoperability requirements"; I said this "will be
triggered if, e.g., the TLS WG issues an RFC requiring all PQ in TLS to
be hybrid"; I haven't seen a counterargument.
Now the WG is again being told, again without a rationale, that some
unspecified cryptographic experts with money are demanding non-hybrids.
Even if it's true that NSA is banning hybrids (is it?), I'm opposed to
non-hybrids on security grounds and on BCP 188 grounds. But the more
basic point is that IETF's decisions on the topic have to comply with
IETF's procedural obligations under antitrust law.
---D. J. Bernstein
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
