It's worth mentioning that there's another possible motivation: The possibility that ML-DSA turns out to be insecure and we have to fall back on the purely hash-based schemes, like SPHINCS+, which could increase certificate sizes by a factor of at least two above the ML-DSA-88 worst case, and possibly a lot more. SPHINCS+-256f certificates would be about 50 KB in size, so a chain of several of them could get really big.

Having a very space-efficient alternative would be really beneficial in that case. And the problem with all of this stuff is that it's speculative. We don't know when, or if, large quantum computers will become practical, and we don't know what the future holds for cryptographic discoveries. What we do know is that if you want to change the foundations of the web's security model, it's going to take a decade or three. So it makes sense to hedge your bets by starting to develop, standardize and test alternatives now.

In today's X.509 certificates, 64 bytes is the size of one signature. One certificate contains a public key (32 bytes) and a signature (64 byte), plus some additional stuff, so each cert is 500 bytes. Also, I can't figure out what they mean by "six signatures and two public keys". Each certificate in a chain contains one pubkey and one signature. A chain of six certificates would contain six pubkeys and six signatures.

This statement is so confused I can't make head or tail of it.

Some realistic certificate sizes:

RSA-2048 keys: ~1.2 KB (though we've abandoned RSA for lots of good reasons)
Ed25519 keys: ~0.5 KB
ML-DSA-44: ~3.7 KB.

Assuming a fairly minimal certificate chain server -> intermediate -> root, you need three certificates. Let's say four for good measure, so:

RSA-2048: 6 KB chain
Ed25519: 2 KB chain
ML-DSA-44: 15 KB chain.

And if you step up to ML-DSA-88, double that to 30 KB.

Those post-quantum chain sizes aren't intractable, of course. Typical web pages today are on the order of 2-3 MB, so even an ML-DSA-88 chain would only increase the download size by about 1%

Still, if there's a more space-efficient Merkle tree-based representation, that's a good thing. Saving a few KB on every TLS session is good. The aggregate bandwidth savings across the whole Internet would be enormous.

We do, actually, but they're far too small and far too unreliable to pose a current threat. That said, with something like the Internet, which takes decades to upgrade core components, if you wait until the problem exists before you try to solve it, you're gonna be in trouble.

It's still possible that quantum computers will never be practical, but there's been significant progress over the last few years that makes it seem like it probably will happen. If you have anything that relies on asymmetric cryptography and you still want it to be secure in 20 years, you might want to start looking into post-quantum algorithms now.

Got any evidence that that's what's going on? And why would it even be necessary? The massive demand for GPUs and RAM for AI data centers is clear. How would that possibly not raise prices?

I think you were far from alone in that. The comments on the article about Anthropic relaxing their safety commitment showed a lot of people thought it was DoD-related.

Because if you can get the Chinese government to share its secrets with your computer, then you get to be the new Chinese government. How can you look at the power Putin has over Trump and not want something similar?

As a pro-US person, I want China to be using these US-hosted tools, and I want people like Hegseth prosecuted for anything they knowingly leak.

I'm not saying every server in the US needs to have a "please upload your most valuable secrets here" form, but shouldn't there be some? It might as well be whatever's currently "hot" since that'll invite the most unwitting cooperation with US Intel.

Is this not common sense?

Who is cheating, lying to and manipulating us, and how? I don't see any of that. I see normal market dynamics: Demand has dramatically outstripped supply, so prices have gone up. This will prompt suppliers to build out capacity to meet supply -- and the massive profits they're receiving from the high prices will fund that buildout. But of course it will take time, so stuff's going to be very expensive for a while.

That's what I see. What "cheating, lying and manipulation" do you see?

They really didn't. I don't have to look it up because I was a Google employee at the time and had access to the employee handbook and other documentation.

The problem is that you're looking for a kind of solution that doesn't exist. There probably isn't now any undergraduate math problem that AI can't do, and if there is, there soon won't be. Trying to find kinds of problems that students can do but AI can't is fruitless.

The only answer is to get students to understand why they really need to do the work themselves -- and it's the same reason that they need to learn integration by parts even though the CAS can do it far faster and more accurately -- because learning develops their minds. And, for the students who are unwilling to understand, test them on it in a context where they can't rely on AI: Pencil and paper tests in a room free of any sort of electronics.

OMFG is a Z-machine an application? "Hey kids, come run pornograph--err, I mean pornoliteral adventure games on my dirty Frotz fork!"

"COVERED APPLICATION STORE " DOES NOT INCLUDE AN ONLINE SERVICE OR PLATFORM THAT DISTRIBUTES ANY OF THE FOLLOWING APPLICATIONS IF THE APPLICATION RUNS EXCLUSIVELY WITHIN A SEPARATE HOST APPLICATION:

(I) EXTENSIONS

(II) PLUG- INS

(III) ADD- ONS

(IV) OTHER SOFTWARE APPLICATIONS .

Is a JVM an application? Is a hypervisor an application? Is lua/cpython/awk an application?

If so, then we could theoretically split our repositories into two, where only a subset of "applications" need special handling, and higher-level applications can be free of any new problems. Of course, the "special handling" will still be an absolute nightmare.

They didn't flip flop. They changed their position on one aspect of AI security, while holding the line on a different aspect. It's like if you decided that you were willing to leave your car doors unlocked, but refused to leave your house unlocked. Different things, different risk calculations.

Common sense is neither common, nor sense.

Back your assertions up with data.

I don't think so. Today's LLMs can actually solve stuff like this.

Seriously, come up with a problem it can't have seen.

Just for fun I grabbed my old calculus book, flipped to a chapter, looked at the exercises and grabbed one that was a word problem. I then fed it to Claude. Here's the result: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fclaude.ai%2Fshare%2F5909de...

That isn't a great example because it's too "canned". You could probably find exactly this problem online. But that doesn't actually matter. Come up with a more creative, unique one that the LLM won't have seen verbatim but is within the capabilities of an average (or even above average) freshman taking a college calculus course, and the LLM will solve it handily.