Having MLKEM without a hybrid as an option in TLS when the interoperable choice is a hybrid is not going to exclude people.
Furthermore we didn't hybridize x25519 and RSA. It's clear some people believe ML-KEM is secure enough for their uses. There also is no protocol police: code points for this will exist regardless of what the IETF does with the draft. Sincerely, Watson On Sat, Dec 7, 2024, 9:26 AM D. J. Bernstein <d...@cr.yp.to> wrote: > Salz, Rich writes: > > The IETF has lawyers who are familiar with how the IETF works, and > > that legal counsel finds our processes acceptable level of risk. > > RFC 9680 was issued in October 2024 and says that it's "intended to > educate IETF participants about how to reduce antitrust risks in > connection with IETF activities". Sounds like the lawyers are worried. > More to the point, they _should_ be worried. > > > The IETF has long accepted that saying "we have customers who want > > this" as a metric into its decisions. If Foo.Com says they have > > customers for RFC X, then the IETF community believes it is more > > likely that Foo.Com will implement RFC X. Market acceptance is > > important to what the IETF considers success. > > The whole point of antitrust law is to put constraints on _how_ market > success can be pursued, so praising market success is missing the point. > Take any corporation (whether for-profit or not) that lost an antitrust > case, and look at its briefs; you'll see that it argued, unsuccessfully, > that what it was doing was healthy market activity. > > As one of many examples of the constraints that antitrust law places on > standards-development organizations, look at > > > https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52011XC0114(04) > > asking, inter alia, whether "the procedure for adopting the standard in > question is transparent". Saying that IETF is pursuing market success > does nothing to answer this transparency question, or any of the other > procedural questions asked by antitrust law. > > The same link also asks whether there are "objective criteria for > selecting the technology to be included in the standard". Where are > IETF's objective criteria for deciding what to select? Where's the > documentation demonstrating systematic enforcement of those criteria? > > As illustrated by this discussion, IETF allows a company to push for a > standard by simply claiming, without evidence or quantification or a > technological rationale, that there are customers for the standard. > History shows that IETF is more likely to act on such claims from large > companies than from small companies. > > Yes, of course a company pushing for something to be standardized will > claim that the standard will have customers. This is content-free beyond > the company name---and IETF doesn't follow procedures that demand more > information. Evidently the IETF "metric" is not the market prospects of > what's being proposed for standardization, but rather the size of the > company pushing for it. That's inherently anti-competitive, rewarding > the existing big players instead of establishing a level playing field. > > A court will want to know how IETF procedures stop a large company or a > cartel from manipulating IETF's decision-making process to suppress > competition. What the court will instead see is evidence of IETF often > allowing its process to be manipulated without even asking questions. > > > Please don't quote other lawyers to us. > > You're complaining about my providing a link to > > > https://www.google.com/books/edition/Handbook_on_Antitrust_Aspects_of_Standar/zin5tgAACAAJ > > from the American Bar Association? I think this is a great starting > point for WG participants who want to learn more about the topic. > > ---D. J. Bernstein > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
