Re: [Cfrg] Requesting removal of CFRG co-chair

Alyssa Rowan <akr@akr.io> Sat, 21 December 2013 14:40 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 896471ADAEA for <cfrg@ietfa.amsl.com>; Sat, 21 Dec 2013 06:40:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQW0T9LBGuPI for <cfrg@ietfa.amsl.com>; Sat, 21 Dec 2013 06:40:20 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 792341ADED5 for <cfrg@ietf.org>; Sat, 21 Dec 2013 06:40:20 -0800 (PST)
Received: from [10.10.42.10] (cpc5-derb12-2-0-cust796.8-3.cable.virginm.net [82.31.91.29]) by entima.net (Postfix) with ESMTPSA id 7274260A12 for <cfrg@ietf.org>; Sat, 21 Dec 2013 14:40:16 +0000 (GMT)
Message-ID: <52B5A853.2000500@akr.io>
Date: Sat, 21 Dec 2013 14:40:19 +0000
From: Alyssa Rowan <akr@akr.io>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: cfrg@ietf.org
References: <CAGZ8ZG2f9QHX40RcB8aajWvEfG0Gh_uewu2Rq7bQGHYNx6cOmw@mail.gmail.com> <ddd7a57df8d7ba569bba601a235234bb.squirrel@www.trepanning.net>
In-Reply-To: <ddd7a57df8d7ba569bba601a235234bb.squirrel@www.trepanning.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: Re: [Cfrg] Requesting removal of CFRG co-chair
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Dec 2013 14:40:23 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[Cross-posting ceased, in light of Lars' message: he'll read the list.]

On 21/12/2013 08:28, Dan Harkins wrote:

> This request is FUD on top of innuendo.
  [...]
> The added implication of a conspiracy theory should be all the more
>  reason to reject it.

With all due respect, it is simply pointing out an elephant in the room:

• The NSA have been publicly documented, and caught, manipulating and
  subverting cryptographic standards to weaken them.

  - It is a publicly-documented fact being discussed by an oversight
    panel who are recommending that the President stop the NSA doing
    that.

  - That unavoidably logically implies that they're doing it now.

  - Not a conspiracy theory therefore: documented fact.

  - It was specifically discussed at the IETF 88 Technical Plenary.
    If you are unfamiliar with that discussion, and the resulting hums,
    please look it up. <https://youtu.be/oV71hhEpQ20?t=25m9s>

• If a nation state adversary were doing such a thing, they would
  probably target (among others) this group, which is chartered with
  evaluating cryptographic standards for internet protocols.

  - Ideally, they would hold a position of power, being able to guide
    the committees into making decisions that are to their advantage,
    provide bad advice that will be trusted in light of his position,
    or misrepresent consensus that could be interpreted as mere error.

• Well, the co-chair of this group - literally - works for the NSA.

• We're gonna have a problem here.

It is a crystal-clear, indefensible, classic conflict-of-interest -
Kevin M. Igoe literally works for an attacker we are trying to defend
against!

I mean no disrespect to him as a person: please record that. But I'm
sure that if he is being honest, he will understand the concerns, and
gracefully resign his position.

He might be an ethical fellow, and dislikes how their SIGINT appears
to have fatally undermined their COMSEC. Sadly, I don't KNOW that; and
the trouble is, it raises the highly uncomfortable, but sadly
unavoidable, impression that he could instead be employed to undermine
the work of this group.

In light of what we do know about BULLRUN, it is entirely reasonable
for us to be uncertain, and to doubt, whether Kevin is working in the
best interests of the internet.

And it is reasonable for us to fear that instead, he may be working in
the best interests of his employer - which, sadly, appear in light of
IETF 88 and related discussions, to have been in direct conflict.

He has to go. Nothing personal.

> I am extremely sorry that my draft seems to have caused the CFRG 
> chairs to be the target of these accusations.

IETF 88 specifically addressed the importance of public oversight and
scrutiny in the evaluation of cryptographic standards.

So, on the contrary, I am extremely glad that the effect of your draft
was a fresh round of public scrutiny and oversight. Thank you for that.

[Just to clarify: One of the co-chairs, Kevin M. Igoe, openly works for
 the NSA and is the source of raised concern here. I have no cause for
 concern about the other co-chair, David McGrew, who works for Cisco.]

> The protocol in question, dragonfly, does not have any security 
> flaws that would cause it to be inappropriate as a TLS cipher
> suite.

I note that you feel protective, even hotly defensive, of your work.
Others have raised concerns which appear to remain insufficiently
addressed. Beyond that, I won't comment within this discussion.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJStahTAAoJEOyEjtkWi2t694AQAJvVdhzjVEbZC89smIDShzuG
bybdRXeaXCGU9T5d4bG0kb3fVG+ya/pymPRYQDujT4nDUMD1/9xzZlyesLnv6UNL
P1iLGY70Sn+saTsGez/1s7/hF4plDqqK/L2evNM9RF2Dh0KBvGWJauEGaMTAb9U4
JRJ0zZbS2OFSDX0a7By4Lvn6qOYWl5Vbu5N0mMQ3tcbutbrg3pPhaGxM6lrtLtoA
wg6va87kGSQbRFuiodLrdZx83eDJNpNoA+mHDLVatZdzTfpUbkSwPbMWiBBanMwI
7rKA6ykoB0YTdYuNZS5vfGIDP+i5/4pN3RFfQ5LnCBn4mmyZXuF0CFQN5kb4ucya
KOvvlIhuNJ60YcJM55a074V2ywajG4PJtyGvqa17v9QNTaipO4p7SGi2a2XK6zmf
cH3kycPmUI8/74adp/3SncOVTsrPJBiKee1leh4jeh45YvA/onzxh/HkGJt5z1lL
SQegneFX3dnZ1JOyX29IYTnb5+TlOuk/YkrfNXQSABw8QGFWU8ahRdhcNUmpmITv
wJrxE1yenlJnqXQo15TdqsKLHP6pdtKsFmCjhYXLqy9xZA4+GtZ5GtGK9pEM3dIx
FuahvMR5+s8rUsy0iTh26zVucNVhFBLIzptc8lTOdszGs87iWgHmWi2CYTA+9uPN
rojDo10p8NRrZjXJDftR
=Z/mS
-----END PGP SIGNATURE-----