Re: [Cfrg] NSA sabotaging crypto standards

["Dan Harkins" <dharkins@lounge.org>]

On Thu, February 6, 2014 11:10 am, Watson Ladd wrote:
> On Thu, Feb 6, 2014 at 10:48 AM, Paul Hoffman <paul.hoffman@vpnc.org>
> wrote:
>> On Feb 6, 2014, at 9:00 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>>> IETF working groups will follow suit if they see that some new
>>> protocol is documented by the CFRG.
>>
>> Can you give examples of that? Having been active in many IETF WGs for
>> 15+ years, I can't think of one, but I could have forgotten some.
>
> Dragonfly in TLS was the first time this happened. Had Rene Struik not
> noticed that CFRG hadn't done anything, life would be interesting.
> My understanding was that CFRG existed so that IETF WGs without
> cryptographers could borrow some temporarily from us. That's what the
> HTTP
> auth people are doing, and what TLS did with Dragonfly.

  I don't want to perpetuate this unfortunate thread but I would like
to correct the record. I came up with the dragonfly exchange quite
a long time ago and have been promoting its use in different
protocols-- EAP, IKE, 802.11, TLS. All that activity precedes the
CFRG draft.

  Rene's review of the CFRG draft was, as he notes in the title of his email,
"triggered by" the TLS-pwd last call. Note that the hullabaloo over
TLS-pwd was triggered by Trevor Perrin's realization (after 2 years)
that TLS-pwd existed and his subsequent incorporation of dragonfly
into a conspiracy theory involving the NSA. So actually, had Trevor
paid as little attention to the TLS WG that week as he did the previous
2 years, things would've been less "interesting" (to use your word).

  Basically, the timeframe and the process you're suggesting is a
little off.

  Also, note your "understanding was that CFRG existed so that IETF
WGs without cryptographers could borrow some temporarily" is
without basis. The WG that produced IPsec and IKE had such notable
cryptographers as Krawczyk, Canetti, Orman, and Bellovin, as active
participants (and I commit a sin of omission here by failing to mention
others, my apologies). Other working groups have similar participation
by very well-respected experts.

  Now, you may have issues with IPsec, IKE, TLS, or whatever but
please realize that is most likely the result of the sausage making
function of a standards process. I have lots of problems with IKE but
none of them were the result of the brilliant cryptographers that
helped produce it, they were the result of engineering shortcuts,
compromise among differing viewpoints in order to achieve
consensus (some of which appear in hindsight quite ridiculous),
haste to get the standards out there, and a failure to specify the
protocol properly.

  The rubber hits the road in an IETF WG. If you want to make sure
that a particular IETF protocol is done right than engage there.
The CFRG should be, in my opinion, a bridge between theory and
practice.

  regards,

  Dan.