[Cryptography] NSA up to their old tricks - stuffing the IETF WGs with their supporters for weakened standards

[Nico Williams]

On Mon, Oct 13, 2025 at 01:35:45PM +0000, Salz, Rich via cryptography wrote:
> Maybe that’s what they want, but the IETF is not doing that, no matter
> what Dan writes. While there is a non-hybrid MLKEM draft in the TLS
> working group, it has seen zero uptake. Compared to the hybrid key

If by zero uptake you mean that the draft was not adopted as a working
group document, then that's wrong.  If you mean that no one has
implemented it, well, since CNSA can be (is being?) used to compel
compliance from vendors in order to be able to get government contracts,
then uptake _now_ is not what matters, rather uptake later.

> exchange draft, which is widely deployed on the Web.  Signatures are
> another matter, as some argumentative folks delayed progress on the
> hybrid signature format for so long that industry might just have
> stopped waiting (cf ANSI X9 PKI).

The problem is that we might see ML-KEM end up in non-government
deployment configurations.

That said, the fact that the TLS codepoint assignments have been made,
that the registries in question are Specification Required, and that
PKIX doesn't even have or need OID registries, means that ML-KEM is a
fait accompli.  If anything perhaps that Internet-Draft _should_ be a WG
work item so that the WG and the IETF at large can get suitable warning
language added to it.

Nico
--