[tptacek]

The author of this post is a cryptographer. The people who select ciphers for products are almost invariably not cryptographers. The idea that DJB crypto is selected simply because it is "clearly superior in every way" seems inaccurate.

In fact, I think it's comments like these that set people like Guttman off. If you pay enough attention to the people who select but don't design ciphers --- ie, non-cryptographer engineers --- you're starting to hear more and more of a drumbeat of "do whatever DJB says"; if you push those people to explain those decisions, you don't usually get good answers.

[CiPHPerCoder]

> If you pay enough attention to the people who select but don't design ciphers --- ie, non-cryptographer engineers --- you're starting to hear more and more of a drumbeat of "do whatever DJB says"; if you push those people to explain those decisions, you don't usually get good answers.

Sure. I like to call that condition "secure by default". Said engineers most often don't have a lot of knowledge and experience with cryptography, so they opt for the best option available. In a lot of cases, it's DJB's work. In other cases, it's someone who followed his example (e.g. the BLAKE(2) team).

Also, this might have had something to do with this shift towards the current situation:

https://gist.github.com/tqbf/be58d2d39690c3b366ad

> Use, in order of preference: (1) The Nacl/libsodium default

> If you can just use Nacl, use Nacl. You don't even have to care what Nacl does.

[tptacek]

I take your point, and the point of the sibling commenter. I just think Guttman is talking about a different kind of "DJB by default" phenomenon.

[CiPHPerCoder]

I think you're right.

[napoleond]

And yet, that drumbeat is probably a good thing. And perpetuated by people like you chanting "just use NaCl" every chance you get. So it's not super fair to pick on non-crypto geeks for accepting that easy truth.

[tptacek]

We're not talking about what library to use; we're talking about what algorithms go into standards.