IETF Logo Mail Archive

Re: [Cfrg] NSA sabotaging crypto standards

"Eggert, Lars" <lars@netapp.com> Thu, 06 February 2014 16:20 UTC

Return-Path: <lars@netapp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7626C1A0143 for <cfrg@ietfa.amsl.com>; Thu, 6 Feb 2014 08:20:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.437
X-Spam-Level:
X-Spam-Status: No, score=-7.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydhQfmAKuE2c for <cfrg@ietfa.amsl.com>; Thu, 6 Feb 2014 08:20:26 -0800 (PST)
Received: from mx1.netapp.com (mx1.netapp.com [216.240.18.38]) by ietfa.amsl.com (Postfix) with ESMTP id 496D91A03C5 for <cfrg@irtf.org>; Thu, 6 Feb 2014 08:20:26 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.95,793,1384329600"; d="asc'?scan'208"; a="306010084"
Received: from vmwexceht03-prd.hq.netapp.com ([10.106.76.241]) by mx1-out.netapp.com with ESMTP; 06 Feb 2014 08:20:25 -0800
Received: from SACEXCMBX01-PRD.hq.netapp.com ([169.254.2.211]) by vmwexceht03-prd.hq.netapp.com ([10.106.76.241]) with mapi id 14.03.0123.003; Thu, 6 Feb 2014 08:20:24 -0800
From: "Eggert, Lars" <lars@netapp.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Thread-Topic: NSA sabotaging crypto standards
Thread-Index: AQHPI0wyNwZIyRl9aU6ZyV2CKP87E5qo7jCA
Date: Thu, 06 Feb 2014 16:20:23 +0000
Message-ID: <570B8BE5-1362-4D08-A22D-FE86FC4A77DC@netapp.com>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com> <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com> <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com> <75e1e853dc391b418062ee5e51adeb2f.squirrel@www.trepanning.net> <CABqy+sr7ZKrACj4Ga2_75d9Kea0aKbrp2P5fWWu4YZP53zijxw@mail.gmail.com> <CACsn0cmS152wYQWHiX8ykzaMM=6b=r=fwVuLfPj_u0wmoq0jKw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F7C@SC-VEXCH2.marvell.com> <CACsn0c=a5PvZOZgVRjHaJ2avGCPHF6b6nOpNh+iT0909X-jUFA@mail.gmail.com> <52F23D52.4090509@cisco.com> <EFA9E215-3B01-43C6-A8F0-3F98E3ED2E26@netapp.com> <255B9BB34FB7D647A506DC292726F6E1153AD4CF05@WSMSG3153V.srv.dir.telstra.com> <3E30D764-7E19-45DB-9D6D-63949F5B36CB@netapp.com> <255B9BB34FB7D647A506DC292726F6E1153AE65F2E@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1153AE65F2E@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.106.53.51]
Content-Type: multipart/signed; boundary="Apple-Mail=_FBCA8319-1FD7-4EB6-BF1D-B4FA324A2686"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] NSA sabotaging crypto standards
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 16:20:29 -0000

Hi,

I want to respond to a few of your points. I won't get into a prolonged debate here.

On 2014-2-6, at 16:00, Manger, James <James.H.Manger@team.telstra.com> wrote:
>> The CFRG is not a standards group. It does not produce standards.
> 
> These look and smell like standards to me, and this is where they are worked on.

<snip>

but they aren't. By definition, the IRTF does not produce standards, and the first sentence of the boilerplate of any IRTF RFC says

   This document is not an Internet Standards Track specification; it is
   published for examination, experimental implementation, and
   evaluation.

and then goes on to state even more caveats. That's about as clear as we can be.

>> As an individual, I am fully in favor of making widespread wiretapping
>> as difficult and costly as possible, and I am very supportive of
>> anything the IETF and IRTF can do here.
> 
> NSA have been sabotaging crypto standards. This is separate from widespread wiretapping.

Fair point.

I would also be in favor of any action that would make it more difficult for anyone to subvert the work we do. I still do not believe that replacing Kevin as chair would actually serve that purpose.

> Removing Kevin Igoe will be a concrete statement that we find the NSA sabotage of crypto standards unacceptable.

No, it wouldn't. It would be a demonstration that we believe in guilt by association. We'd make Kevin the scapegoat, irrespective of the fact that his personal actions do not warrant such a removal.

If the CFRG wants to make a statement about the actions of the NSA, then it can certainly do exactly that, i.e., folks can craft text to that effect and then the group can see if it has consensus to publish that statement. (The IETF did make such a statement via the Vancouver plenary poll.)

>> Eliminating groups of people from participating
>> because of their current or past employment status, or based on whom
>> they consulted for or took research grants from weakens that open
>> process.
> 
> We are not eliminating groups, we are saying we strongly object to one organization's actual behaviour.
> My understanding is that Kevin Igoe is a current employee of the NSA, paid (at least in part) to work on crypto standards.
> 
>> past employment status
>> consulted for
>> took research grants
> 
> No one is suggesting anything about those categories.
> Listing them feels like an attempt to invoke an imaginary slippery slope as an excuse not to act.


You are arguing to remove Kevin based on his affiliation. I'm therefore guessing you have similar concerns about other current NSA employees. And possibly the other groups I listed above, since their financial relationship with the NSA could be argued to influence their participation. The slippery slope is not an excuse - where do you draw the line?

All that said, I fully understand people's anger at the action's of the NSA, and I do share it. I also understand the impulse to want to do something. But I don't consider punishing an individual contributor to the group for the actions of his employer an appropriate action. I also do not believe that the solution lies in preventing individuals from contributing solely based on their affiliation.

Lars

v2.23.0 | Report a Bug | By Email