Re: [Cfrg] Requesting removal of CFRG co-chair

William Whyte <> Fri, 20 December 2013 19:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1F94B1ADEBA for <>; Fri, 20 Dec 2013 11:04:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GuaFNBHBOrch for <>; Fri, 20 Dec 2013 11:04:43 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c01::22b]) by (Postfix) with ESMTP id EADFA1ADF9B for <>; Fri, 20 Dec 2013 11:04:42 -0800 (PST)
Received: by with SMTP id c9so2576819qcz.16 for <>; Fri, 20 Dec 2013 11:04:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:references:in-reply-to:mime-version:thread-index:date :message-id:subject:to:content-type; bh=NH8YWsXuG78cNLd4DwWX5dLroy0MFV5FDWMzGpXRGRE=; b=NKt/9Gdnevi0GyzIBEyixclIsnS1z1x25kmSCUmdRNk4/gTa4Uh4/uTl5C4fE0PrIl RODWpotzh8apGQEn39GX9dvsfH3TwCSyiaRuN2lVJji14RY+4KndIrHEUNSAD9k7ozWF 2y1fYrlHSpOAWalMMq2RKA4yIicdPxgo9MfPA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:from:references:in-reply-to:mime-version :thread-index:date:message-id:subject:to:content-type; bh=NH8YWsXuG78cNLd4DwWX5dLroy0MFV5FDWMzGpXRGRE=; b=FcXnaxLmxYncru+CUd2FBkTH1HwIsuUxWo4sqVsJ3WqfE+RkcKZGyEdicnboh92H6A akl1DIGkBZsfghzym78YyBsnGBh5AMrDKwBkAx5QNI75BWiJR8n3aKQXu9k3A6UmBKNn iNIT8kLYOA/FKJfp2DcOnzm7bPnYctBJWG+9v5/RmSqp/cTNuD1enQv+Vz0rg7t3g61j S2Wc2pL+FKypkMYvCgH7TbLM9KUSHNq1Qm9r5aFRTlGQSyanVRof87dVi7cIBhnyqJT8 amLfYkPND/K6CG8fUNKLBuzW6aHy3BAuuDdhoBVuMfzYnKo7+ORe/7uu9pUlaTC30rou QZrA==
X-Gm-Message-State: ALoCoQmeVqKXJIIhu111JKBe2b2ZqQrK+dvOceEOXuz0zNU7G5NicERJ1tIE6io9PbDAwTusWVDk
X-Received: by with SMTP id j2mr17107629qci.6.1387566280513; Fri, 20 Dec 2013 11:04:40 -0800 (PST)
From: William Whyte <>
References: <>
In-Reply-To: <>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIQdep8VG0rr2PaqKp4agice/BVd5nacRoA
Date: Fri, 20 Dec 2013 14:04:41 -0500
Message-ID: <>
To: Trevor Perrin <>,
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [Cfrg] Requesting removal of CFRG co-chair
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Dec 2013 19:04:45 -0000

I agree. It's appropriate for Kevin to be able to contribute, just as it's
appropriate for any individual to be able to contribute, but it's not
appropriate for any NSA employee to have a role of responsibility in a
crypto standards group, especially a group developing standards to be used


-----Original Message-----
From: Cfrg [] On Behalf Of Trevor Perrin
Sent: Friday, December 20, 2013 11:02 AM
Subject: [Cfrg] Requesting removal of CFRG co-chair

Dear IRTF Chair, IAB, and CFRG:

I'd like to request the removal of Kevin Igoe from CFRG co-chair.

The Crypto Forum Research Group is chartered to provide crypto advice to
IETF Working Groups.  As CFRG co-chair for the last 2 years, Kevin has
shaped CFRG discussion and provided CFRG opinion to WGs.

Kevin's handling of the "Dragonfly" protocol raises doubts that he is
performing these duties competently.  Additionally, Kevin's employment
with the National Security Agency raises conflict-of-interest concerns.

Dragonfly Background
Dragonfly is a "Password-Authenticated Key Exchange" protocol (or "PAKE").
Dragonfly was proposed to CFRG 2 years ago [PROPOSAL].
Compared to better-known PAKEs, Dragonfly has no security proof, a lack of
extensive security analysis, nonfunctional complications added for IPR
reasons, and some security issues [REVIEW].

Dragonfly became a hot topic recently when the TLS WG disputed CFRG's
alleged report that Dragonfly was "satisfactory", as well as disputing
that this report reflected CFRG consensus [TLS_1].  After extensive
criticism of Dragonfly, the TLS WG ceased work on a Dragonfly extension

NSA Background
The National Security Agency ("NSA") is a U.S. Intelligence Agency which
is believed to devote considerable resources to:
 - "Influence policies, standards and specifications for commercial public
key technologies"
 - "Shape the worldwide cryptography marketplace to make it more tractable
to advanced cryptanalytic capabilities" [BULLRUN]

While much is unknown about these activities, the NSA is known to have
placed a "back door" in a NIST standard for random number generation
[ECDRBG].  A recent report from the President's Review Group recommends
that the NSA:
 - "fully support and not undermine efforts to create encryption
 - "not in any way subvert, undermine, weaken, or make vulnerable
generally available commercial software" [PRESIDENTS]

This suggests the NSA is currently behaving contrary to the

Reasons for requesting Kevin's removal
1)  Kevin has provided the *ONLY* positive feedback for Dragonfly that can
be found on the CFRG mailing list or meeting minutes.  The contrast
between Kevin's enthusiasm and the group's skepticism is striking
[CFRG_SUMMARY].  It's unclear what this enthusiasm is based on.  There's
no record of Kevin making any effort to understand Dragonfly's unusual
structure, compare it to alternatives, consider possible use cases, or
construct a formal security analysis.

2)  Twice Kevin suggested a technique for deriving the Dragonfly
password-based element which would make the protocol easy to break
[IGOE_1, IGOE_2].  He also endorsed an ineffective attempt to avoid timing
attacks by adding extra iterations to one of the loops [IGOE_3, IGOE_4].
These are surprising mistakes from an experienced cryptographer.

3)  Kevin's approval of Dragonfly to the TLS WG misrepresented CFRG
consensus, which was skeptical of Dragonfly [CFRG_SUMMARY].

4)  Kevin's NSA affiliation raises unpleasant but unavoidable questions
regarding these actions.  It's entirely possible these are just mistakes
by a novice chair who lacks experience in a particular sort of protocol
and is being pressured by IETF participants to endorse something.  But
it's hard to escape an impression of carelessness and unseriousness in
Kevin's work.  One wonders whether the NSA is happy to preside over this
sort of sloppy crypto design.

While that's of course speculation, it remains baffling that an
experienced cryptographer would champion such a shoddy protocol.  The CFRG
chairs have been silent for months, and haven't responded to attempts to
clarify this.

The position of CFRG chair (or co-chair) is a role of crucial importance
to the IETF community.  The IETF is in desperate need of trustworthy
crypto guidance from parties who are above suspicion.  I encourage the IAB
and IRTF to replace Kevin Igoe with someone who can provide this.

Thanks for considering this request.


Cfrg mailing list