I idiotically just realised I putted ML-DSA ;) Meant, ML-KEM ahaha

Thank you,

On 03/07/2026 21:38, Sofia Celi wrote:
Hi, all!

I was thinking on weighing on this very dramatic discussion for a while, and thought it might be worthwhile. For context, as people are now checking the credentials of people posting in this mailing list: I’m Sofia Celi, not long a go I was the chair of the PQUIP WG, HRPC RC and a member of the Ombusteam. I resigned to those positions some months ago. I’m also a cryptographer and I have won numerous awards on research by the IEEE S&P and NDSS. I have also published extensively on cryptography and systems since 2022 at top-tier peer-reviewed publication venues.

I neither support publication nor not publication of this document on the reason that I don’t understand why we need such a document (yes, organisations and liaison statements have asked for this, but, as far as I know, that's a request, not an argument. The IETF publishes on rough consensus and technical merit, not on demand. Liaison statements are inputs to said judgement, not instructions; and per RFC 7282, consensus was never a headcount of who wants something in the first place), but also I don’t see much harm on publishing it (to the dismay of some, ML- DSA is already a NIST standard. This means it can be freely be used by the Internet either in a hybrid manner or solo. Having an IETF informational document on this does not hurt in my opinion: in fact, the vast majority of people deploying cryptography nowadays i. Don’t even know what the IETF is ii. Choose to push any type of cryptography regardless of, iii Do not want to bother with the IETF process). However, in general I’m fully on board with https://www.ietf.org/ archive/id/draft-barnes-tls-this-could-have-been-an-email-00.txt: the TLS WG is not the best place to discuss cryptography algorithms or their political implications: "The typical TLS WG participant is not a cryptographer, and the cryptographic choices of TLS users are typically dictated by other factors than the opinion of the TLS WG". As noted many times on this discussion, ML-DSA already has an IANA code point.

On the basis of RFC 7282, the IETF publishes on rough consensus and technical merit. It doesn’t seem to me that the draft has in itself much technical merit as it just notes the usage of ML-DSA solo in TLS, as ML- DSA is already standardised by another body. This is not to shame the authors (who I appreciate a lot for bearing this painful process regardless of the decision), but I don't think the purpose of that document is to standardise ML-DSA at the IETF and the draft clearly does not do that nor the TLS WG is the place to standardise cryptography. I guess the consensus question here is to decide that we agree on “Recommended:  N”: all the other text on that document is already standardised. ML-DSA is a standard, a code point exists, the Internet is freely able to use only ML-DSA in TLS 1.3. The only “new” thing this draft proposes is “Recommended:  N”. I don’t see publishing this as an informational document at the IETF as a “stamp of approval” of the IETF: what does that even mean? But, via the same argument, why does this even need to be an IETF document?

However, what does worry me is how horrid this process has been. I don’t think it is fair to single out a single person for the toxicity of this process. From all sides of this discussion I have seen said toxicity. There are multiple Signal, Slack, Discord, Twitter (or X nowadays), blogs, HN discussions on this topic. Said discussions have reached the level of attacking people based on who they are, based on the geographic location they come from, publicly mocking people, digging people's work and websites and mocking them, publicly accusing them of not independent thinking (but rather that someone sent them), attributing bad faith to anyone that disagrees with your position. This is shameful. Many of those channels and this IETF mailing list have participants that are new to the field and it is a shame that they see how other people publicly mock others to the degree that people now have to explain their credentials. Just for the record: Orr Dunkelman is a very great cryptographer that has multiple peer-reviewed publications, has won an amazing set of awards and has an enviable career. You can disagree with people but that does not give you carte blanche to attack them. That one participant is using inflammatory language or publishing blogposts does not give you carte blanche to do the same or worse.

I implore this community to follow the chairs guideline: Let’s stick to the consensus call, "I support" or do "I do not support" as was requested in the email that began this thread. Statement as the following  are not constructive and are quite toxic:

- Labelling parts of a community credible and others as not
- Asking who sent someone to weigh on the discussion
- Publicly stating that people leaving the IETF is a good thing (there are many on the community that have left due to feeling discriminated against, and seeing this does not do any good job at making it better for underrepresent people). Once you're telling interlocutors you'd be glad to see them leave, you've stopped trying to persuade anyone and started performing contempt for an audience. - Assigning people positions based on the organisations they work or have worked for - Demanding that participants recite their credentials before their views are treated as legitimate - Mocking people's professional work, CVs, personal websites or publications - Characterising a draft, or its authors, as secretly acting on behalf of a government agency - Treating someone's nationality or where they are based as relevant to the merits of their argument - Using another participant's incivility or blogposts as a licence for your own
- Framing technical disagreement as proof of incompetence or bad faith

None of the above bears on rough consensus or technical merit, which, per RFC 7282, is the only question in front of us. If you need to resort to the points above to make your point, then you are not really making a point. I also implore the chairs and ADs to moderate more firmly this discussion.

I fully expect this to end with people mocking my work or me across the various channels, or sending me messages directly. I won't be debating it with anyone, and I'd gently point out that proving my point for me isn't the flex some may think it is.

Thank you,

--
Sofía Celi
@claucece
Cryptographic research and implementation at Brave and University of Bristol. 🏳️‍🌈
Reach me out at: [email protected]
Website: https://sofiaceli.com/

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to