On Fri, Dec 13, 2024 at 08:24:24PM -0800, Joseph Salowey wrote:
> You continue to violate list policy with unprofessional commentary on other
> participants' motivations and repeatedly raising points that are out of
> scope. Please stop this behavior. This is the last warning before we will
> take action and temporarily ban you from the list; see BCP 94 [0].
>
> [0] https://datatracker.ietf.org/doc/html/rfc3934
I personally find this threat excessive under the circumstances, however
forceful, or insistent on being heard, Dan may be at times, history has
shown that he is often enough ultimately proved right, years or decades
later. However "inconvenient", IMHO his voice should not be suppressed.
If his strong view is that pure PQ KEMs (probably not just
ML-KEM/Kyber), are too novel to be responsibly relied on without a
classical fallback, then he should IMHO able to forcefully make that
case.
If there is nevertheless a demonstrable plurality of reputable
cryptographers on record as saying that *pure* PQ KEMs are (despite
initial implementation bugs) strong enough to move towards deployment,
then Dan's view may not prevail, but I do not find his posts to be
beyond the pale.
There were also (with IIRC Dan instrumental in bringing these to light)
some early side-channel issues in AES, that AFAIK still apply to some
reference pure software AES implementations, and when used securely, AES
is hardware assisted, or slower if counter-measures are implemented.
The AES issues were unfortunate, and ideally would have been identified
prior to standardisation, but proved "fixable". If we're in luck
that'll also be true with Kyber, but arguments for some caution don't
come across as unfounded.
--
Viktor.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
