Re: [Cfrg] Requesting removal of CFRG co-chair

Adam Back <adam@cypherspace.org> Sun, 22 December 2013 08:27 UTC

Return-Path: <adam@cypherspace.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A27F1AE1BB; Sun, 22 Dec 2013 00:27:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6DPhLrvd2l9; Sun, 22 Dec 2013 00:27:24 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 0927F1AE1A9; Sun, 22 Dec 2013 00:27:24 -0800 (PST)
Received: from netbook (c107-70.i07-27.onvol.net [92.251.107.70]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0M2t94-1VbKqM0Dlm-00s1No; Sun, 22 Dec 2013 03:27:19 -0500
Received: by netbook (Postfix, from userid 1000) id CCE132E035F; Sun, 22 Dec 2013 09:27:08 +0100 (CET)
Received: by flare (hashcash-sendmail, from uid 1000); Sun, 22 Dec 2013 09:27:04 +0100
Date: Sun, 22 Dec 2013 09:27:03 +0100
From: Adam Back <adam@cypherspace.org>
To: Paul Lambert <paul@marvell.com>
Message-ID: <20131222082703.GA26569@netbook.cypherspace.org>
References: <201312212237.rBLMbo5i016331@sylvester.rhmr.com> <5FA05FD6-59A5-40EC-A3F6-A542E37C3224@taoeffect.com> <31D844CE-CCC8-4A4A-90A1-064D7B205E13@taoeffect.com> <CEDB64D7.2B148%paul@marvell.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Disposition: inline
In-Reply-To: <CEDB64D7.2B148%paul@marvell.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Hashcash: 1:20:131222:paul@marvell.com::u8EYzUAeQ+aVW689:01IAi
X-Hashcash: 1:20:131222:contact@taoeffect.com::85yQDVTWhcTsbMs7:0000000000000000 000000000000000000000000GZsC
X-Hashcash: 1:20:131222:ho@alum.mit.edu::JqYANKTbRydiGN3f:000w+g
X-Hashcash: 1:20:131222:irtf-chair@irtf.org::/AVzNZR6M8mpUwYL:000000000000000000 0000000000000000000000003FTL
X-Hashcash: 1:20:131222:cfrg@ietf.org::w9Z1An+PPqU2kjn3:000039D0
X-Hashcash: 1:20:131222:adam@cypherspace.org::lqZBj/q3+TI37dxI:00000000000000000 0000000000000000000000007udm
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V02:K0:hlqpQHYuQSjXTKH7dK6o99braQhgM20NX/FVVeWZVQ3 R6bN50r69vl2gGIY8AgEKJ7e9evv0qyCKoubIHx3dvmgw5IKAA Tf5FwwPQ1JTow3Y+2HMRiePJWfyrZh27IVgX7uSqe5BctGATul 3zJxT3KUyA0IaPsZhJRfMVzHULMTkSO9gdzHkU4+a+5t3a/xuB XLurpAP+W1UZGIHFLUnzIDM0yBCWzIg/iHKsw127Mn/7/u7Q9Y YK1X0+N/oTM+atCPOnTKzkaSMxU8JNK0HTmvxece6LP69C6I4L kq9i0l/YF214GyWbV2rUsshukab1a/fiDkGjKmnPpzsliWf/vV AeEog9FWQFAZb+RTv5GY/LzMwgcUaXJo/Oc4jsWfV
Cc: Hilarie Orman <ho@alum.mit.edu>, Adam Back <adam@cypherspace.org>, "cfrg@ietf.org" <cfrg@ietf.org>, "irtf-chair@irtf.org" <irtf-chair@irtf.org>
Subject: Re: [Cfrg] Requesting removal of CFRG co-chair
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Dec 2013 08:27:27 -0000

Sorry but no.  His employer has been exposed as spending $250m/year to
sabotage amongst other things standards.  Including paying RSA (with its
influence as defacto industry standards author (PKCS# series)) $10m to
include EC_DBRG as a random number generator.  And influencing NIST to
publish the same.  We do not know what other overt or soft-sabotage has been
going on where.  Note the disclosed information included mention of more
plausibly deniable soft-sabotage - eg architectural decisions pushing
towards less decentralization (concentrated tap points), fragility, and
'accidental' biases that leak keys (like the original DSA flaw that
Bleichenbacker found), and seeming organizational inability to deploy MUST
forward-secrecy ciphersuites throughout IETF protcools.  

Kevin is free to resign from his employment or not now he knows these facts. 
He surely must have some view on it whether he thinks its a good thing and
was actively working on it, or a bad thing, but unable to comment.

Regardless I do not think it remotely acceptable in the circumstances that
current NSA employees are in any position of administrative control within
any public standardization processes period.  Positions of administrative
control are weak points of public policy processes.  Often individuals have
insufficient energy to take on the administrative work-load, so they are
relatively easy to fill.  I have seen in the distant past UK MoD (presumably
GCHQ) people popping up in unlikely positions (eg national health medical
record security standards).

Cleary, and perhaps where your sympathies come from, this could be emotively
misread as a slight to Kevin personally.  Its not, its completely impartial. 
But its just a thats the risk you take when you work for government and
government is exposed to have committed outrageous, well funded and
persistent societal interest sabotage.  Society hardly needs to defend its
actions in reacting.  We are the egregiously wronged party.

How also should the US industry players feel, knowing how many $ billions
they are losing to european competitors as a result of this bad faith on the
part of NSA via NIST and abuse or collusion of commercial vendors.  Think
USG or NSA is going to write them a check to compensate?  They were all
used.

What do we have to do to finalize the process of removing?

Adam

On Sat, Dec 21, 2013 at 03:55:13PM -0800, Paul Lambert wrote:
>
>
>This debate started as a discussion of the ³Dragonfly² protocol.  The core
>cryptographic mechanism has been reviewed in multiple forums for two years
>and is incorporated into IEEE standards.  It is not an optimal mechanism,
>but was constructed for it¹s IPR considerations to serve a specific
>purpose.  It is useable and secure for the intended use cases and the
>protocol should progress forward.  The discussions on the CFRG list for
>time were productive and contributed to improvements in the protocol.
>
>The CFRG co-chair¹s support of advancing the protocol has unfairly been
>turned into a witch hunt.  The collateral damage is the stopping a
>potentially useful protocol mechanism.
>
>It is embarrassing to me to see the technical debate in the IETF lowered
>to the point that we are removing and rejecting people by their
>affiliation.  The whole point of standards is to bring into a room a group
>of competitors and work through a process to create technical solutions in
>a productive manner.  A continued debate on individuals open affiliations
>is not productive.  We should not proceed with a witch hunt to remove
>Government employees from the IETF.
>
>Anyone with experience in standards activities should already be wary of
>motives that drive each of the contributions.  I¹d rather have my
>competitor (or in this case the NSA) in the room to get whatever reading I
>can on their positions on our technical work.  We will always have to
>second guess the motives of individuals bringing work into our open forums.
>
>Paul
>
>Paul A. Lambert
>
>
>
>On 12/21/13, 3:29 PM, "Tao Effect" <contact@taoeffect.com>; wrote:
>
>>On Dec 21, 2013, at 6:17 PM, Tao Effect <contact@taoeffect.com>; wrote:
>>> Should not the choice of an employer reflect on a person's competence?
>>
>>Sorry, thinking a bit more about that question, I think the answer is
>>"no, not necessarily, but maybe in some circumstances."
>>
>>
>>--
>>Please do not email me anything that you are not comfortable also sharing
>>with the NSA.
>>
>>>
>>>
>>> On Dec 21, 2013, at 5:37 PM, Hilarie Orman <ho@alum.mit.edu>; wrote:
>>>
>>>> Take it as a challenge, is the IETF smarter than NSA or any other
>>>> organization with ulterior motives?  Can the IETF make sound technical
>>>> judgments based on written documents?
>>>
>>> Speaking for myself only, an organization's ability to make sound
>>>ethical choices impacts my ability to take it seriously.
>>>
>>> What sort of people does the IETF/CFRG place in positions of authority?
>>>
>>> Those types of decisions play a significant role in defining what an
>>>organization is, and what it does.
>>>
>>>> and choose leaders based on their competence and not on their
>>>>employment.
>>>
>>> Should not the choice of an employer reflect on a person's competence?
>>>
>>> Careful now, we're deadly close to reaching Godwin's Law. ;-P
>>>
>>> - Greg
>>>
>>> --
>>> Please do not email me anything that you are not comfortable also
>>>sharing with the NSA.
>>>
>>> On Dec 21, 2013, at 5:37 PM, Hilarie Orman <ho@alum.mit.edu>; wrote:
>>>
>>>> Is the CFRG co-chair the only person in the CFRG who has associations,
>>>> proclaimed or covert, with an organization intent on undermining the
>>>> standards process?  I seriously doubt it.  Then why trust anything
>>>> from any part of the IETF?  Because it is an open process with input
>>>> from a worldwide community.  That open process provides the resilience
>>>> against attack.
>>>>
>>>> Take it as a challenge, is the IETF smarter than NSA or any other
>>>> organization with ulterior motives?  Can the IETF make sound technical
>>>> judgments based on written documents?  If you don't believe this is
>>>> possible, then by all means, start the purges.  Otherwise, step up to
>>>> the plate, be part of the evaluation-on-the-merits process, and choose
>>>> leaders based on their competence and not on their employment.
>>>>
>>>> Hilarie
>>>>
>>>> _______________________________________________
>>>> Cfrg mailing list
>>>> Cfrg@irtf.org
>>>> http://www.irtf.org/mailman/listinfo/cfrg
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg