Re: [Cfrg] Requesting removal of CFRG co-chair

Stephen Farrell <> Tue, 24 December 2013 03:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C878B1AE3A5 for <>; Mon, 23 Dec 2013 19:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4IcWsFl1pgAs for <>; Mon, 23 Dec 2013 19:13:00 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 35EE91AE39C for <>; Mon, 23 Dec 2013 19:13:00 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7D64ABE58; Tue, 24 Dec 2013 03:12:41 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kxwLB2JWv2yl; Tue, 24 Dec 2013 03:12:36 +0000 (GMT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 20737BE4C; Tue, 24 Dec 2013 03:12:36 +0000 (GMT)
Message-ID: <>
Date: Tue, 24 Dec 2013 03:12:25 +0000
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: John Viega <>, Tao Effect <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Cc: "" <>
Subject: Re: [Cfrg] Requesting removal of CFRG co-chair
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Dec 2013 03:13:04 -0000

On 12/24/2013 02:49 AM, John Viega wrote:
> Whether Mr. Igoe is using an alias or is a composite is, I think,
> irrelevant to anything other than his credentials for getting the job
> in the first place (and, I’m quite sure he’s real).
> I think it’s reasonable to hold the opinion that this discussion is
> silly and overhyped.  I think there’s a good chance that Mr. Igoe had
> no subversive intent whatsoever.  I also don’t see how an IRTF
> working group chair 

Research group chair. Sorry to be pedantic, but we need to start
out at least understanding that the IRTF cannot produce an IETF

> can, with high probability, subvert the process
> (though that doesn’t mean it isn’t possible).
> However, I would ask people who are annoyed by the discussion to
> realize that public perception is important.  

I do. (But am annoyed.) I think that laziness in those who are
opposed to pervasive monitoring is as damaging as laziness in
those who think their local governments can do no wrong.

There is serious laziness in this thread so far, by which I
mean the assumption that guilt-by-association is not hugely
damaging once accepted and the level of ignorance of what is
the actual situation.

> The fact that people
> are coming out of the woodwork to comment just emphasizes that many
> people perceive this as an issue (though I don’t consider myself
> coming as out of the woodwork— I’ve been lurking for years, and have
> definitely posted a few times in the past).

I accept that people find it jarring that someone who works for
an organisation spending US$250M/yr undermining Internet security
can be an ok co-chair. However, David works for a large multinational
as do many many RG and WG chairs. I get funded by an en EU FP7
project and have in the past worked for large companies that did
get money from UK MoD and other similar customers. If you actually
think it through, then the pure who-chairs question reduces to
only being a matter of perception iff we have the level of
transparency we have. And I hope we (the IETF and IRTF) maintain
what is much more a core principle which is to not be driven by
irrational perception but to pay most attention to engineering and
science. (Whilst not being "pure" in any respect:-)

The reason the who-chairs thing reduces to perception is that
if that is not true, then our processes can be far more easily
undermined by anyone who has an axe to grind. And almost all
participants in standardisation do have some axe to grind. (I
think someone else pointed that out before as well.)

The main effect of chairs is that they either move the discussion
along well, or badly, or not at all. The only situations where a
chair can really dominate are ones where nobody really cares about
the outcome anyway. And there are (in the IETF) appeal processes
in case someone thinks stuff has gone wrong. The IRTF differs in
that respect since the IRTF doesn't do standards.

> To me, the most important thing the group can do is address how it
> makes sure to protect from subversive actors.  

I disagree, on the basis that I think we (IETF) have done that
for decades. More recently for IRTF, but it inherits a lot of
good IETF processes.

For me, figuring out how to mitigate pervasive monitoring is
far more important.

> If we had a clear
> answer there, then I think it matters far less who the chair is,
> because we can give outside eyes a better comfort level.  I don’t
> think it’s productive to be dismissive of the concern, even if you do
> not agree.

It is fair to dismiss concerns where those appear to be based
on an impressive level of ignorance of how things actually work.
Those with such concerns should ask questions, and those would
be welcome, but baseless suppositions e.g. that some real people
are invented are just plain dumb.


PS: I am not saying that all the how-stuff-works is very obvious
and ought be known, but I am saying that those who don't know,
should start by finding out before casting aspersions.

> John
> On Dec 23, 2013, at 9:15 PM, Tao Effect <>
> wrote:
>> On Dec 23, 2013, at 9:05 PM, Richard Barnes <> wrote:
>>> Kevin is a regular IETF attendee, and an author of several RFCs.
>> I never questioned that his name appears on several RFCs.
>> I even linked to such an RFC. :-)
>> It's just starting to become rather obvious that whoever is
>> carrying this name around, probably considers it to either be an
>> alias.
>> And even if that's not the case, it seems rather strange that
>> someone who is serving as co-chair of an organization that makes
>> recommendations to the world about the cryptography that it uses,
>> appears to be rather difficult to hold accountable for the
>> accusations that have been levied against him by multiple people in
>> this thread.
>> So, the members of the CFRG might not be real people and don't seem
>> to have any accountability? Is this the moral of the story?
>> It's also interesting to see some of the replies to my innocent
>> questions.
>> Here's one from Stephen Farrell, it can be summarized entirely like
>> so: "Oh FFS. Please cut the crap."
>> Here's one from John Bradley: "+1 Stephen's comment"
>> Some substance, gentlemen, please? This is not Facebook. It's easy
>> to disturb the air with exclamations, but it's not a nice thing to
>> do when your empty replies land hundreds? of inboxes.
>> Cheers, Greg
>> -- Please do not email me anything that you are not comfortable
>> also sharing with the NSA.
He is most definitely a real person.
>>> --Richard
>> _______________________________________________ Cfrg mailing list 
> _______________________________________________ Cfrg mailing list