Can you introduce yourself and your project?
My name is Michael Baentsch; I’m a computer scientist by training and free-lance security software engineer by conviction working on open-source applications and integrations of cryptography. I’ve been contributing to the Open Quantum Safe (OQS) project for several years, including to a bespoke fork of the OpenSSL project that added quantum-safe crypto to OpenSSL for users to easily deploy “post quantum” OQS software via the well-known OpenSSL interfaces.
At the start of 2021 I began work on an all-new provider, a plug-in feature available since OpenSSLv3 allowing the introduction of cryptographic algorithms via a simple binary extension. The result of this work named oqsprovider now allows seamless integration of all kinds of quantum-safe cryptography into any current deployments of OpenSSL (v3.x). This way, classic cryptographic algorithms in danger of being broken by the advent of quantum computers, such as RSA or EC, can be augmented or replaced by any of the “post-quantum” algorithms in standardization by NIST, such as ML-KEM and ML-DSA.
What are the key issues you see with the state of the Internet today?
There are many problems with the way the internet is being used today, but I’d like to focus on the area of particular interest to me, namely the deployment of cryptographic technology in the internet: One big challenge I see in this space is that there is two broad “tribes” of people working in the space with a similar interest, but with what I perceive a sometimes imperfect mode of cooperation: One is the integrators or users of cryptography and the other being “hard-core cryptographers”. The former sometimes don’t know how to securely apply cryptographic technology while many of the latter don’t thoroughly care about practical applications of their “pure mathematics”. The result in some cases are either overly complicated-to-use crypto applications or in the worst case, insecure ones or even ones where no-one is aware of cryptography being used at all.
How does your project contribute to correcting some of those issues?
The oqsprovider aims to be a technological bridge for one particular problem area in this space, namely the integration of post-quantum cryptography into the TLS and X.509 internet standard protocols with minimum change/introduction of new risks at maximum ease of use. Due to the prevalence of OpenSSL implementing these standards in many core internet software components, such as nginx, curl or https, this work percolates to many essential open source internet “backbone” software components without cryptographers having to “dirty their hands” with “productive code” all the while the integrators and users don’t really have to do more than activate oqsprovider to gain protection from the (still theoretical) risks of (future) quantum computers by way of a library (liboqs) maintained by cryptographers.
What do you like most about (working on) your project?
The most interesting part is making the software “vanish”, i.e., become as simple to use such as for people to ultimately not notice it (“just works”). This requires sometimes minute, sometimes more drastic changes to the oqsprovider software itself but also to up- and downstream projects. As particularly the latter are sometimes large software stacks, finding the most elegant way to “sneak in” oqsprovider is a bit of a good riddle to solve. This typically requires the interaction with the true specialists of those packages: Getting to know them and working with them is always rewarding.
Where will you take your project next?
This really is no longer in my hands: Earlier this year, control of the project has been taken over by PQCA, a mostly US-corporate-driven, Linux-Foundation umbrella project. On the one hand, this can be seen as a sign of success and goodness as it may mean more rigour, more uptake and more contributions by more people. On the other hand, standard, “large-project” process and procedures are now constantly getting introduced that make contributions more cumbersome. My current hope indeed is that new people will join the project and alleviate me of these burdens — particularly that of being sole maintainer.
How did NGI Assure help you reach your goals for your project?
NGI Assure was willing to fund part of my work on this project that otherwise was done entirely on a voluntary basis, driven by my personal interest to strengthen the open source community in general and OpenSSL in particular. Second, it also helped fund a third party that gave this code a glance over to straighten out coding practices in need of improvement, i.e., a “code review”: This was pretty helpful to improve this code base and make it more reliable.
Do you have advice for people who are considering applying for NGI funding?
In a nutshell: “Don’t be shy”. I never assumed there is a chance for a single person’s vision to be supported by an external funding entity, but NGI Assure made this possible.
Do you have any recommendations to improve future NGI programs or the wider NGI initiative?
As this has been an incredibly smooth and easy experience for me, my only recommendation is to make yourself more widely known in the open source community as a truly independent, non-political, non-commercial funding alternative for sensible new software. The processes and procedures as executed by NLnet and NGI are a breeze, truly supportive and easy-to-navigate for people valuing writing software code more than writing reports.
Anything else you would like to add?
Nothing, really: Thanks to NGI Assure and NLnet! Please help more folks and projects!
