I assume that the point was that NSA is against using hybrid algorithms like the one used by OpenSSH, which combine a traditional algorithm with a post-quantum algorithm, arguing that using both algorithms is an unnecessary complication.
The position of D. J. Bernstein and also of the OpenSSH team is that the prudent approach is to use only hybrid algorithms until enough experience is gained with the post-quantum algorithms, to be reasonably certain that they are secure against the possible attacks.
If they obtain the documents requested through FOIA, it is expected that they will support the opinion that the NSA recommendations should be ignored, because they have a very long history in making attempts to convince the public that certain cryptographic algorithms are secure enough, even when they were aware of weaknesses in those algorithms that they could exploit, so it was in their interest that everybody else should use them, to facilitate the NSA's tasks.
As explained at the linked Web page, in the past NSA has forced the standardization of algorithms that had too short keys, i.e. DES and DSA, and has made partially-successful attempts to standardize back-doored algorithms like Clipper and their infamous random bit generator.
Similarly now, they want to enforce the use of only the post-quantum winning algorithm, without the additional protection of combining it with a traditional algorithm.
Fucking everybody's position is to combine classical key exchanges with PQC KEMs. It wasn't NIST's job to standardize a classical+PQC construction. The point of the contest is to figure out which PQC constructions to use. NIST also didn't recommend that everyone implement their cryptographic handshakes in a memory-safe language. But not doing that is going to get a bunch of people owned by NSA too. Do you see how silly this argument is?
Ostensibly, nistpqc is about finding safe crypto, first for TLS, second for ssh. You will argue differently, but we all expect the same end product.
NIST has specifically asked for guidance on hybrid crypto (as well you know), as I documented elsewhere on this page.
You assert that NIST only accepts pure post-quantum crypto. They ask for hybrid.
Color me jaded.
EDIT: Just for you, my fine fellow!
'For example, in email to pqc-forum dated 30 Oct 2019 15:38:10 +0000 (2019), NIST posted technical comments regarding hybrid encryption modes and asked for feedback “either here on the pqc-forum or by contacting us at pqc-comments@nist.gov” (emphasis added).'
The position of D. J. Bernstein and also of the OpenSSH team is that the prudent approach is to use only hybrid algorithms until enough experience is gained with the post-quantum algorithms, to be reasonably certain that they are secure against the possible attacks.
If they obtain the documents requested through FOIA, it is expected that they will support the opinion that the NSA recommendations should be ignored, because they have a very long history in making attempts to convince the public that certain cryptographic algorithms are secure enough, even when they were aware of weaknesses in those algorithms that they could exploit, so it was in their interest that everybody else should use them, to facilitate the NSA's tasks.
As explained at the linked Web page, in the past NSA has forced the standardization of algorithms that had too short keys, i.e. DES and DSA, and has made partially-successful attempts to standardize back-doored algorithms like Clipper and their infamous random bit generator.
Similarly now, they want to enforce the use of only the post-quantum winning algorithm, without the additional protection of combining it with a traditional algorithm.