Re: [Cfrg] Response to the request to remove CFRG co-chair

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Hi Trevor,

On 01/09/2014 02:46 AM, Trevor Perrin wrote:
> On Wed, Jan 8, 2014 at 8:20 AM, Stephen Farrell
> <stephen.farrell@cs.tcd.ie> wrote:
>>
>> Hi Adam,
>>
>> On 01/08/2014 03:17 PM, Adam Back wrote:
>>> Hi John
>>>
>>> I've seen several people putting forward a similar argument.  There is some
>>> logic but its I think an incorrect conclusion.
>>
>> I think there's a bit more subtlety to the conflict of interest
>> issue than maybe some folks appreciate.
> 
> Hi Stephen,
> 
> I'd like to understand the subtlety better.  The IETF/IRTF leadership
> seems terrified that considering an egregious conflict of interest in
> a chair is a "slippery slope" to membership fees, loyalty oaths, and
> purges.

Terrified, egregious, loyalty oaths and purges is just irritating
overblown rhetoric and wrong. Do you think such language helps
something or someone? It doesn't. However, the rest of you mail
deserves a response, so I'll skip over that.

BTW, just to be clear, I'm not part of the decision process nor
the appeal process, which is why I feel free to respond. Others who
are in the appeal chain may well not, so please don't misinterpret
their silence.

> I don't understand this.  Chairs are appointed (I assume) by weighing
> many factors:  are they smart?  Fair?  Good communicators?
> Trustworthy?  Easy to work with?  Knowledgeable both technically and
> of IETF/IRTF process?  I would think being clear of severe
> conflicts-of-interest is also good.

Yes. Appointment is not the same as firing though, at least IMO.
I figure its right for someone appointing someone to take many
informal factors into account, but its not the same firing someone.

I know that you don't agree that the only issue here is Kevin's
affiliation, but that is what I think, as I said before.

> No-one wants to make these criteria for excluding participants.  But
> if a chair's lack of these qualities threatens a group's performance,
> surely it's appropriate to consider a replacement?

That's probably true in general, and Lars I assume considered all
that as will the IAB. I'm ok with that process.

>> Within the IETF its not that uncommon to have conflicts of
>> interest where a company would like to sabotage a piece of
>> standards work, in ways that seem quite similar to the current
>> situation and that do not involve IPR, nor the misbehaviour
>> of an individual chair.
>>
>> Say company-x have a product doing some proprietary thing
>> that has significant market share. Then others propose to
>> standardise that function, which company-x might consider
>> would lessen their advantage with their product. It would not
>> at all be a surprise to see people acting for company-x
>> (employed, as consultants or business partners) trying to
>> bugger up the standards process by e.g. trying to make the
>> standard take ages, be over-complex or omit some crucial
>> functionality. And if company-x aren't dumb then that can
>> be attempted without any obvious evidence being left about.
> 
> And this is just totally acceptable, day-to-day life at the IETF?

No, and I didn't say it was. Do machinations happen in an
organisation involving thousands of people like the IETF?
Of course they do. Analogous things happen in academia as
well of course. The point is not that its acceptable
behaviour (it isn't) but that our processes need to be
designed to counter it, while at the same time enabling
the sausage-making to happen.

My point though was to question the assertion that the
NSA situation is new in this respect.

I do think snowdonia is new in other respects and that
we need to respond to those.

>> Now if company-x are of any size, then its quite likely
>> that employees of theirs are chairing other WGs. And for
>> a long-lived WG with a generic charter, it'd not be at
>> all unusual if someone working for company-X co-chairs
>> the WG in question.
>>
>> So - what's different here? Are we saying that if a
>> company-x marketing department memo leaks that says "let's
>> bugger up <foo>" then we should fire the person who's
>> co-chairing that WG?
> 
> Depending on the credibility of the memo and the consequences of the
> buggering, I would think that's reasonable to consider.

Fair enough that you think that. I think it'd be wrong if
the firing is solely based on affiliation.

> I disagree that this needs to be framed as "fire the person".  That
> implies this is some exceptional and insulting process to inflict on
> someone.

But it is that. Reading some of the comments on the ars articles
about this kerfuffle, the phrase "exceptional and insulting" does
seem accurate. I'm not saying that's your fault, but it has
happened.

> But there is no other process to replace an RG chair except for having
> the IRTF chair replace them.  Kevin has no term limit.  We can't just
> wait 6 months and then quietly ease him out, or something.
> 
> Perhaps there should be some process for selecting new chairs
> periodically that is less confrontational, but unless I'm missing
> something, there is not.

There is not. That kind of thing has been discussed, and it is
generally a fine thing to rotate chairs now and then, but in a
volunteer organisation that's hard - chairing a contentious WG
can take 20% of your week and finding capable willing chairs is
hard. I don't think I've seen any credible proposal for term
limits for chairs in either the IETF nor IRTF.

>>> I understand the conflict of interest when people are somewhat
>>> pushing their companies approach, related to their product or
>>> implementtion choices they have some investment in, but generally
>>> tempered by reasonableness.  All the companies that care can put
>>> their voice in also.  IPR disclosures are also there.  Loose
>>> consensus and running code copes with that ok.
>>
>> I think you left out a critical part of that, at least as its
>> done in the IETF and IRTF - the participants ideally act as
>> individuals and not on behalf of their employers and are treated
>> that way. There is a serious danger of going down the slippery
>> slope to paid membership if we deviate from that, with what I
>> think would be overall worse outcomes.
> 
> You lost me - what does "paid membership" have to do with this?

Once you start to recognise affiliation in the way that is implied
in the last part of your request, then you need processes that
deal with the organisations and not the individuals and that very
quickly tends to turn into a discussion about membership which
then also quickly turns into one about paid membership and voting.
You can believe me on this or not, but do bear in mind its far too
boring an argument to want to deal with all the ins and outs;-)

>>> I think NSA sabotage is a significantly different and its unrealistic to
>>> just assume a chair has no influence.  A non-NSA chair would strive for
>>> impartiality with regard to their employers interests.  If certicom
>>> wants to
>>> push something and cisco something else they are both pushing for something
>>> reasonably secure as a fundamental assumption and trying to make secure
>>> systems so their customers will buy them.  Forward secrecy is good,
>>> architectural weaknesses bad etc.
>>>
>>> The NSA is NOT in that boat.  They are explicitly sabotaging security on a
>>> grand and systematic scale at all levels including standardization.  They
>>> dislike forward secrecy, and like architectural weakness and architectural
>>> tap points and sabotaged RNGs, and fragile hard to implement correctly
>>> standards with traps.  There were numerous news articles by Greenwald and
>>> others backed by NSA docs about these strategies.
>>
>> Other than the headline 250/yr I think I've only seen
>> convincing evidence related to the RNG stuff though. The
>> rest afaik is speculation. If I missed more that's been
>> published, I'd appreciate pointers.
> 
> See the BULLRUN reporting and documents:
> 
> http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html
> http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?ref=us

Well since those are NYT and I don't have a subscription I
can't follow those URLs:-)

But I'm pretty sure I've seen that material already.

> Adam's speculations strike me as plausible and consistent with the
> documents we have.  I think acting on "risk avoidance" grounds is
> prudent here, instead of demanding absolute proof of what would of
> course be covert and "deniable" activities by sneaky people.

I don't think his speculations are convincing on this point, as
I said. Its not surprising that reasonable people differ on how
to interpret partial information like this though.

>> But there's IMO a far more likely explanation for why we end up
>> with stuff that fits this particular speculation - a lot of
>> standards work ends up being dominated by people with more
>> complex requirements and its always hard to keep stuff simple.
>> In the case of security protocols, the US DoD requirements, as a
>> customer (e.g. for PKI) are about as complicated as it gets and they
>> can afford to pay folks to work on that. So we've ended up with
>> PKI that's over complex for many other use-cases.
> 
> Huh.  That's not all that different from the fears Adam has, or my
> concern about "softer forms" of sabotage.  At least, the line between
> "sabotage" and "not quite working in the Internet's best interest" is
> a blurry one.

Yes. In the latter case, I assert that the motivation is far
more commonly "prioritising one's own set of requirements" and
not "wanting the Internet to work less well."

> For example:  It's interesting how NIST tends to standardize
> algorithms that work well in hardware but are tricky in software.  

That I think is something where we can make improvements all
right, without having to agree on whether or not the current
situation is a result of sabotage or not. I'm delighted to
see CFRG starting down that road (partly spurred by your
request I think).

> And
> how DoD's steering of PKI worked for DoD, I suppose, but has not
> resulted in working key management for the Internet.

Actually, I'd argue that someone wanting pervasive monitoring
would be more likely to prefer that a DoD style PKI had been
widely deployed in the Internet, so I really don't think that
the NSA-driven sabotage argument holds water there. That's on
the basis that if everyone had to go to a CA to do stuff then
it'd be easier to track everyone and also to get at their long
term decryption keys, e.g. because they'd often be centrally
generated for mobility reasons.

And like I said there are non-govt examples as well, oauth
as I quoted before, but also SIP and probably others.

Regards,
S.


> 
> 
> Trevor
>