IETF Logo Mail Archive

Re: [Cfrg] Requesting removal of CFRG co-chair

John Viega <john@viega.org> Mon, 23 December 2013 18:51 UTC

Return-Path: <john@viega.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E1731AE21A for <cfrg@ietfa.amsl.com>; Mon, 23 Dec 2013 10:51:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OM3QXPkRbKK0 for <cfrg@ietfa.amsl.com>; Mon, 23 Dec 2013 10:51:37 -0800 (PST)
Received: from mail-qa0-f53.google.com (mail-qa0-f53.google.com [209.85.216.53]) by ietfa.amsl.com (Postfix) with ESMTP id EBA621ADFD5 for <cfrg@irtf.org>; Mon, 23 Dec 2013 10:51:36 -0800 (PST)
Received: by mail-qa0-f53.google.com with SMTP id j5so5390380qaq.5 for <cfrg@irtf.org>; Mon, 23 Dec 2013 10:51:33 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=sBINOsFgc+lbcR9yQc4yIw1LAzbXd3n/xsl75xJjKq0=; b=A3svf3D8hS40+yS2juRQqMe5ltdIikTfdLckEUqeVHKl0mfW6f2qe1AvCRwynFyHL0 1Z/BEZmkgHWFq69+aO0mzu/pCgWu34TEsvEUPrVs5cmdp7Fa9q87t3COaqtxCkJeQCRt UqSXi/IMhGUlqHvJ4NQ4i5+Nk2XbXL0uyTpnolnkUjN8vJGlvJqiYMIFVabj6VouWp9D d296tsUbh2utcJEdnQZBoZZIxW8CmKkcvmPhLH0eCWy3Z8BNN6Ld1V2MCzqCxq/HYrQc GFI/U2Ix9ow7XgmQ2XgCYMN/wyhsIbWgNCRPnF2pT4kmPwkeN6FGPhPiAa4iPg7XZD+d uscA==
X-Gm-Message-State: ALoCoQn6Opq7RmRwWL0DOxQKmgbfn2CYwPAgi3JGd+y38J7J/Y6IzVYG57OlDJGkhTxq58TRxdF/
X-Received: by 10.224.103.129 with SMTP id k1mr45177891qao.77.1387824693286; Mon, 23 Dec 2013 10:51:33 -0800 (PST)
Received: from [10.255.31.33] ([165.212.186.27]) by mx.google.com with ESMTPSA id o5sm34162921qeg.2.2013.12.23.10.51.31 for <cfrg@irtf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Dec 2013 10:51:31 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: John Viega <john@viega.org>
In-Reply-To: <BD34B825-0FC3-4AF8-8C1B-7DD51FB0EB2D@checkpoint.com>
Date: Mon, 23 Dec 2013 13:51:30 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <9F2BED3F-A998-4D6E-90B1-481DD288C1D1@viega.org>
References: <201312212237.rBLMbo5i016331@sylvester.rhmr.com> <5FA05FD6-59A5-40EC-A3F6-A542E37C3224@taoeffect.com> <31D844CE-CCC8-4A4A-90A1-064D7B205E13@taoeffect.com> <CEDB64D7.2B148%paul@marvell.com> <CACsn0ckpB+9GHHb37xJ6BrpK3SL1aPe2-_nPwbDZKMAjMFg0Sg@mail.gmail.com> <8ac4396af38c4be34935361ed36ca5f6.squirrel@www.trepanning.net> <CACsn0c=96TPU5+WbkU=k3=S2r14Oho+frMVJ8zcZoEjXpYS9KA@mail.gmail.com> <e48e9ab7885ad9bd9c35def72ad429d7.squirrel@www.trepanning.net> <52B7E1EF.80808@akr.io> <CABqy+so1weyHXKVLU0LPmv4nWg+E4VN_Z4uCapSASepf+LfQNQ@mail.gmail.com> <7376E700-6334-46A3-AD8E-1EDF9C67DC97@taoeffect.com> <BD34B825-0FC3-4AF8-8C1B-7DD51FB0EB2D@checkpoint.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailer: Apple Mail (2.1822)
Subject: Re: [Cfrg] Requesting removal of CFRG co-chair
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2013 18:51:39 -0000

It’s clear that, whatever happens to Mr. Igoe, we need to assume that we have untrusted— even malicious participants in the standards process.  It’s recently become clear that the NSA has no scruples on the matter, and I wouldn’t put it past other governments to attempt to subvert the standards process.

If Mr. Igoe is removed, it does not address the problem of how to design secure standards in the face of untrusted actors.  For instance, we can’t imagine that everyone trying to subvert the process will come to the table with ‘NSA’ as their affiliation— we should expect the NSA to work indirectly through other people to encourage standards they want to see adopted.

It doesn’t seem too relevant who the chair is— we should generally assume the chair is an untrusted entity, whether they are willingly attempting to subvert the system or not.

For instance, the other co-chair, David McGrew, is someone I personally trust.  He’s a terrific human being, but he and I both have our names on the GCM mode of operation.  In retrospect, I think there’s a definitely possibility that GCM became a standard so quickly not because of its applicability to high-speed hardware implementations and its lack of IPR restrictions (which is what I firmly believed at the time), but because the NSA had an easy time breaking the message authentication mechanism through side-channel attacks.  I’d say it’s absolutely possible that the NSA worked through us unknowingly to try to subvert the standards process.

In the specific case of GCM, a lot of great work has been done since in constant-time implementations that we think protects against side-channel attacks.  But I have no idea what the NSA’s true capabilities are— and I think that’s even true for many employees of the NSA, which is clearly very compartmentalized.

Until recent revelations, the conventional wisdom seemed to be shifting toward people believing that the NSA didn’t know much about cryptography that the rest of the world didn’t know.  We seemed to think that there were far more smart cryptographers in industry and academia than hidden away in the bowels of government agencies, and that our people probably were making bigger advancements than theirs.

Today, I think we all recognize that’s a dangerous assumption.  It’s important for us, as part of the standardization process, to assume we are living in a world where governments are trying to subvert us, and that their capabilities are far greater than we expect.  Along the lines of a mail Watson Ladd just sent to this list, I think the CFRG should be demanding a *well-vetted* proof of security in the standard model where possible, and a well-vetted proof in the random oracle model when not.

But, going beyond that, I think the CFRG should also require some evidence that any foreseeable side-channel attack is addressed, under the assumption of a large government as an adversary.

As for Mr. Igoe, I think there are a few separate issues here:

1) Does his job as chair put him in a better position to subvert the standardization process, or are there appropriate checks and balances?   This one is not clear cut to me, as a casual lurker.

2) Does the presence of an NSA employee in this particular leadership position undermine public trust in the standards body, whether he is in a special position to abuse that trust or not?  I think the answer to this one is probably YES.

3) Regardless of Mr. Igoe’s employment, has his behavior been inappropriate enough to be grounds for termination?  Here, I think the initial concerns that Trevor Perrin raised about Kevin himself can possibly be chalked up to mistakes that should deserve a second chance.  HOWEVER, I feel that his utter lack of engagement in the discussion is a huge issue.

I believe public perception is important to the effectiveness of the efforts here, and I think Mr. Igoe’s lack of interest in engaging is not acceptable from someone in a leadership position.  I have less of a problem with the strong possibility that he’s a malicious player— the presence of such players is just a fact that the CFRG and the IETF have to be resilient enough to work around.

John

On Dec 23, 2013, at 11:09 AM, Yoav Nir <ynir@checkpoint.com> wrote:

> 
> On Dec 23, 2013, at 5:21 PM, Tao Effect <contact@taoeffect.com>
> wrote:
> 
>> On Dec 23, 2013, at 3:57 AM, Robert Ransom <rransom.8774@gmail.com> wrote:
>> 
>>> I note that none of the few people who are speaking in defense of
>>> Kevin Igoe have even acknowledged the specific acts that Trevor Perrin
>>> listed at the beginning of this thread, much less tried to refute the
>>> charges or defend Mr. Igoe's acts.
>> 
>> Excellent observation! Instead of doing that, the response has been that a "witch hunt" is taking place, and that this is all based on "conspiracy".
>> 
>> And yet, neither of those claims is true.
> 
> It sure seems like it. More than one person on this list has stated that this is nothing personal, but an employee of the NSA (one of tens or hundreds of thousands) is automatically disqualified from chairing a working group.
> 
> The arguments against him are the kind that are leveled against IETF working group chairs on a regular basis - that they see consensus where consensus does not exist. Such arguments are easy to prove or disprove, because the mailing lists are public. I've seen plenty of arguments about whether the two people + author who liked the proposal vs the one person who asked a question and never replied to the list again constitute "consensus". None of those arguments resulted in a petition to remove the chair. I can only conclude that Kevin is getting special treatment because of his organizational affiliation, which IMO sets a very bad precedent. 
> 
> For the sake of argument, I will concede that all the accusations made are true: that (other than Dan) Kevin had the only message to the CFRG list with a favorable opinion of Dragonfly and that he presented that in a private message to the TLS chairs as "CFRG is fine with this algorithm". This could at worst be construed as mismanagement. Yet people present this as a malicious attempt by the USG to subvert the standards process so that people authenticate with a method that leaks timing information?  At the TLS layer or all places. That accusation is baseless and makes no sense for several reasons:
> - Nobody uses passwords at the TLS layer. A PAKE has been defined for years, and it's implemented in the most popular library. Nobody cares (sorry, Dan)
> - If the USG is spending money subverting the standards process to standardize a vulnerable password-in-TLS method, Americans should be worried - it's a monumental waste of their tax dollars.
> - The widespread surveillance that the Snowden documents revealed was all done with no cryptography. It was all done by gaining access to the plaintext or gaining access to keys. The agent trying to sabotage the standards process would not be a cryptographer with an @nsa.gov email. They'd be more surreptitious about it. (yeah, I know - that's what they'd like me to think)
> 
> I don't know Kevin personally, and have never exchanged a word or an email with him, but I believe that he is the target of a witch hunt.
> 
> Yoav
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email