Hi Nadim,

I believe you have misinterpreted Filippo’s point as a threat.

The article linked asserts conspiracy and urges action from readers regardless 
of their own level of understanding of the IETF, the TLS WG, or the document 
involved; the instructions included are clearly aimed precisely at those with 
relatively little context, given they explain how to join the working group and 
even how to format your subject line. Within that context, I think it is 
entirely fair for Filippo to highlight how this behaviour corrupts the process 
and risks turning it into a measure of who has more followers instead of 
technical merit or real consensus.

Cheers,
Kevin

> On 28 Jun 2026, at 12:46, Nadim Kobeissi <[email protected]> wrote:
> 
> Hi Filippo,
> 
> Unfortunate to have to repeat this to you again given your past conduct 
> on-list, but not every opinion that disagrees with yours is due to a 
> conspiracy that you have to go out of your way to ask to be resolved through 
> the censorship and moderation of those you disagree with.
> 
> I also don’t appreciate your open threats to manipulate “your followers” to 
> game the consensus process at the IETF, based on your interpretation of what 
> Dan wrote.
> 
> Please cease this repeated pattern of behavior and engage purely on the 
> technical merits.
> 
> Nadim Kobeissi
> Symbolic Software • https://symbolic.software
> 
>> On 28 Jun 2026, at 11:10 AM, Filippo Valsorda <[email protected]> wrote:
>> 
>> 
>> I want the WG and the chairs to be aware that Bernstein is now coordinating 
>> a campaign to get dissenting opinions emailed to the list.
>> 
>> > You can have your voice heard too. All you have to do is join the IETF TLS 
>> > mailing list <https://mailman3.ietf.org/mailman3/lists/tls.ietf.org/> 
>> > (under your real name, please!) and send a message to the mailing list by 
>> > 7 July 2026 
>> > <https://web.archive.org/web/20260625052729/https://mailarchive.ietf.org/arch/msg/tls/ol2otAvtdDrdz_xY0_eKcuY1om0/>
>> >  under the subject line "Re: [TLS] WG Last Call: draft-ietf-tls-mlkem-08 
>> > (Ends 2026-07-08)" saying that you do not support the publication of this 
>> > document.
>> 
>> https://web.archive.org/web/20260627234614/https://nsa.2026.action.cr.yp.to/
>> 
>> There is no way to know for sure, but the last three emails to the list are 
>> indeed negative opinions with subject line "[TLS] Re: WG Last Call: 
>> draft-ietf-tls-mlkem-08 (Ends 2026-07-08)" but no In-Reply-To header (which 
>> is slightly annoying to produce when one was not a participant in the list 
>> previously).
>> 
>> I don't believe this is breaking any rules, but I do believe that the 
>> interpretation that consensus is a voting process is incorrect and in bad 
>> faith, and instead the degree to which individuals have participated in the 
>> WG in the past should be part of how their opinion is weighted into calling 
>> the consensus of the WG. (Note that this is different from restricting 
>> membership.)
>> 
>> This is the only way the IETF can remain functional, by the way (to the 
>> extent it is functional for cryptography work, which is... limited). Not to 
>> put too fine a point on it, but I am confident I can get 0.1% of my 
>> followers on various platforms to email the list, if every opinion under a 
>> real name weights the same.
>> 
>> Bernstein also refers to WG members as "NSA's minions" in his call to 
>> action. I don't know if this has been repeated or linked to on list because 
>> I have a filter sending his emails to trash, but if it has I ask the chairs 
>> to please take moderation action, as discussed previously in 
>> https://mailarchive.ietf.org/arch/msg/tls/v2OS0KLqwG8nohJwB34mV2_ktQQ/.
>> 
>> (It is particularly frustrating that the work I should be doing instead of 
>> writing this is implementing post-quantum signing in Sunlight for Merkle 
>> Tree Certificates. I am convinced Bernstein has been by far the most 
>> successful actor in slowing down the post-quantum transition, intentionally 
>> or not.)
>> 
>> 2026-06-24 17:00 GMT+02:00 Joseph Salowey via Datatracker <[email protected] 
>> <mailto:[email protected]>>:
>>> This message initiates a new Working Group Last Call for 
>>> draft-ietf-tls-mlkem[1], which defines standalone ML-KEM key establishment 
>>> for TLS 1.3. The main question before the working group is: "Should the 
>>> working group publish a document specifying stand alone ML-KEM?". If there 
>>> is rough consensus then we will push to refine and publish the document; 
>>> otherwise, we will stop discussing the draft and not progress it. Please 
>>> respond to this call indicating whether you support publishing a document 
>>> specifying a stand alone ML-KEM. Please refrain from further discussion on 
>>> this topic as most arguments have been discussed multiple times.
>>> 
>>> Why are we holding this consensus call now?
>>> 
>>> Significant developments have occurred both within this document and in the 
>>> broader TLS ecosystem to address the concerns raised in the last WGLC. 
>>> Therefore, the third consensus call is warranted. We ask the working group 
>>> to consider document publication in light of these recent changes:
>>> 
>>> - Promotion of Hybrids in draft-ietf-tls-ecdhe-mlkem: Following a separate 
>>> consensus call, the WG agreed to promote the X25519MLKEM768 hybrid group to 
>>> Recommended: Y in the IANA registry. Consequently, the IANA registry will 
>>> reflect a clear community preference for a hybrid because Recommended: Y 
>>> clearly indicates this while the standalone ML-KEM groups defined in this 
>>> draft remain Recommended: N. The updated security considerations in [1] 
>>> reference the IANA registry to emphasize this preference.
>>> 
>>> - Key Share Reuse Prohibited in draft-ietf-tls-rfc8446bis: The WG recently 
>>> reached consensus to explicitly prohibit key share reuse across connections 
>>> in TLS 1.3. The new text changes the guidance from SHOULD NOT to a strict 
>>> MUST NOT. This resolves the concerns regarding static key reuse and its 
>>> associated privacy and forward-secrecy risks for ML-KEM.
>>> 
>>> - Nadim updated the ProVerif model of TLS 1.3 to evaluate KEM and hybrid 
>>> KEM groups in TLS 1.3. This supports other results which show that KEMs are 
>>> secure when used in TLS 1.3 and that hybrid groups are secure even if one 
>>> of the components is compromised.
>>> 
>>> - Liaisons: We received liaison statements from multiple SDOs including  
>>> O-RAN[2], IEEE 802.11[4] and from 3GPP[3]  expressing support for the 
>>> publication of draft-ietf-tls-mlkem as an RFC as they rely on the IETF to 
>>> provide a stable normative reference.
>>> 
>>> Please note that a third-party IPR disclosure exists [5] against this 
>>> document regarding patents related to the underlying ML-KEM algorithm. This 
>>> IPR declaration has not changed since the last WGLC. As a reminder, per BCP 
>>> 79, the IETF takes no stance on the validity of patent claims, and the 
>>> working group may decide to proceed with a technology despite IPR 
>>> disclosures if it decides that such use is warranted.
>>> 
>>> Conduct Reminder: Given the heated nature of previous discussions on this 
>>> topic, participants are strongly reminded to adhere to the IETF Code of 
>>> Conduct (BCP 54) and the TLS WG's Mail List Procedures. Keep feedback 
>>> professional, technical, and focused on the document's text.
>>> 
>>> This working group last call will end on 2026-07-08.
>>> 
>>> Joe and Sean
>>> 
>>> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/
>>> [2] https://datatracker.ietf.org/liaison/2198/
>>> [3] https://datatracker.ietf.org/liaison/2151/
>>> [4] https://datatracker.ietf.org/liaison/2148/
>>> [5] 
>>> https://datatracker.ietf.org/ipr/search/?submit=draft&id=draft-ietf-tls-mlkem
>>> 
>>> _______________________________________________
>>> TLS mailing list -- [email protected] <mailto:[email protected]>
>>> To unsubscribe send an email to [email protected] 
>>> <mailto:[email protected]>
>>> 
>> 
>> _______________________________________________
>> TLS mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to