[Cfrg] Response to the request to remove CFRG co-chair

"Eggert, Lars" <lars@netapp.com> Sun, 05 January 2014 07:49 UTC

Return-Path: <lars@netapp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E3E1ACCEE for <cfrg@ietfa.amsl.com>; Sat, 4 Jan 2014 23:49:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.74
X-Spam-Level:
X-Spam-Status: No, score=-4.74 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvYdDgQIukg5 for <cfrg@ietfa.amsl.com>; Sat, 4 Jan 2014 23:49:22 -0800 (PST)
Received: from mx12.netapp.com (mx12.netapp.com [216.240.18.77]) by ietfa.amsl.com (Postfix) with ESMTP id 49AA31AC85E for <cfrg@irtf.org>; Sat, 4 Jan 2014 23:49:22 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.95,606,1384329600"; d="asc'?scan'208"; a="134729396"
Received: from vmwexceht04-prd.hq.netapp.com ([10.106.77.34]) by mx12-out.netapp.com with ESMTP; 04 Jan 2014 23:49:04 -0800
Received: from SACEXCMBX06-PRD.hq.netapp.com ([169.254.9.60]) by vmwexceht04-prd.hq.netapp.com ([10.106.77.34]) with mapi id 14.03.0123.003; Sat, 4 Jan 2014 23:49:04 -0800
From: "Eggert, Lars" <lars@netapp.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Response to the request to remove CFRG co-chair
Thread-Index: AQHPCeqa0jytjbJ5tUeI0roytBzuRA==
Date: Sun, 5 Jan 2014 07:49:04 +0000
Message-ID: <492D56BD-6F33-480D-877E-02D907C5F4AA@netapp.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.104.60.115]
Content-Type: multipart/signed; boundary="Apple-Mail=_69A92858-C197-4A27-8464-8F335AB8B77F"; protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
Cc: IAB IAB <iab@iab.org>
Subject: [Cfrg] Response to the request to remove CFRG co-chair
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: "cfrg@irtf.org" <cfrg@irtf.org>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jan 2014 07:49:25 -0000

Hi,

on Dec 20, 2013, I received a request from Trevor Perrin in my role as IRTF Chair to consider the removal of Kevin Igoe as one of the co-chairs of the IRTF's Crypto Forum Research Group (CFRG). The request stated several reasons for the removal:
 
(1) That Kevin Igoe provided the only positive feedback on the "Dragonfly" key exchange protocol.
 
(2) That Kevin Igoe made technical suggestions that would have weakened the cryptographic properties of "Dragonfly".
 
(3) That Kevin Igoe misrepresented the CFRG opinion on "Dragonfly" to the IETF's TLS working group.
 
(4) That Kevin Igoe is employed by the NSA.
 
I have reviewed the mailing list discussion, as well as the emails that were sent privately. Thank you all for being candid in your feedback.
 
David McGrew, the CFRG's other co-chair, has already posted a detailed timeline of events on points 1-3 to the list and concluded that the research group process has been followed imperfectly. I share this conclusion. However, while unfortunate, the mistakes made were not of a severity that would warrant an immediate dismissal of Kevin Igoe as co-chair. It is also the first such occurrence that I am aware of.
 
As mentioned above, the final point in Trevor Perrin's request pointed out Kevin Igoe's NSA employment and questions whether he can therefore be trusted to co-chair the group. This is an important question, with two aspects to it. First, whether a co-chair of a research group has the ability to unduly influence or subvert the technical work of the group. Second, whether having Kevin Igoe serve as a co-chair otherwise affects the ability of the research group to perform its duties.
 
I would like to discuss these two aspects in a bit more detail.
 
On the first point, RFC2014 details guidelines and procedures for IRTF research groups, and it is important to understand the IRTF and its mode of working. RFC2014 prominently states in Section 1 that IRTF "participation is by individual contributors, rather than by representatives of organizations". This applies to participation in any role, including as co-chair of a research group.
 
RFC2014 goes on to describe that research group co-chairs "perform the administrative functions of the group", and details those in Section 5.3, including process and content management, mailing list moderation, meeting organization and follow-up, community building, and document development and publication.
 
So unlike the title "co-chair" might imply, and unlike in many other organizations, IRTF co-chairs are little more than group secretaries. Their ability to influence the technical work of the group is little different from that of any other group participant.
 
Research groups typically have multiple co-chairs from different organizations, and all currently chartered research groups have open membership, so all IRTF business is conducted in the open, on public mailing lists and in public meetings. Any participant suspecting misconduct can raise any issue either in the group or to the IRTF chair, as Trevor Perrin has done in this case. This is how our process should work, and this is why any individual participant - co-chair or not - is unlikely to be able to subvert ongoing research group work.
 
The second aspect of Trevor Perrin's last point - whether having Kevin Igoe serve as a co-chair otherwise impacts the ability of the research group to perform its duties - is one of public perception more than anything else.
 
"NSA agent co-chairing key crypto standards body" makes a catchy, albeit factually incorrect, news headline, and publicity like this may deter new people from participating in the CFRG, which may limit the amount of technical work it can take on, and may limit the body of expertise in the group. That is obviously of concern.
 
However, would removing Kevin Igoe as a co-chair address this issue? Co-chairs do not wield more power over the content of the ongoing work than other research group participants. Should we then eliminate all individuals affiliated with the NSA from participating? We may be able to identify those that choose to participate openly under that affiliation, but what about consultants or academics that fund their participation partially or fully through NSA contracts, now or in the past? What about participants from or funded by intelligence agencies in other countries that may or may not have collaborated with the NSA?
 
It is a very slippery slope, and we run the serious danger of eliminating valuable contributions to our work by preventing individuals with certain affiliations to participate. That of course also affects the ability of the research group to perform its duties. In the end, it is a trade-off.
 
The IRTF and IETF have always welcomed participation by all, and the open processes that both organizations employ have been our safeguard against any group of participants that attempted to subvert our technical work, in any field we're active in. Widespread wiretapping by nation-state adversaries is a threat unlike any other in the history of the Internet, but I do not believe that preventing interested people from participating in the IRTF or IETF based solely on their affiliation will help us combat that threat.
 
I hope the above explains why I am declining Trevor Perrin's request to remove Kevin Igoe as a co-chair of the IRTF's Crypto Forum Research Group (CFRG).
 
I realize this has been a controversial discussion, and this is likely a controversial decision. Let me therefore outline what I believe the next level of escalation is, should research group participants want to go that route.
 
RFC2014 does not define an appeals process for the IRTF, other than in the case when the IRTF Chair closes a research group that disagrees with that decision. However, the IRTF Chair is appointed by the Internet Architecture Board and serves at its discretion. Ultimately, any disagreement with the actions of the IRTF Chair should therefore be raised with the IAB. (Note that I am an ex officio member of the IAB and will receive any email sent to the normal iab@iab.org email address. If that is of concern, my suggestion would be to email the IAB Chair, Russ Housley, and the IAB Executive Director, Mary Barnes, directly at iab-chair@iab.org and execd@iab.org, respectively.)
 
Finally, I want to thank Trevor Perrin to have raised the concerns he had with the situation in the CFRG. Our open process works best when any concerns are brought forward for public discussion, as was the case here.
 
Lars Eggert
IRTF Chair