Re: [Cfrg] RE: Where's the beef?

"Steven M. Bellovin" <smb@research.att.com> Sat, 31 August 2002 01:26 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA11199 for <cfrg-archive@odin.ietf.org>; Fri, 30 Aug 2002 21:26:26 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g7V1RY103601 for cfrg-archive@odin.ietf.org; Fri, 30 Aug 2002 21:27:34 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g7V1RYo03598 for <cfrg-web-archive@optimus.ietf.org>; Fri, 30 Aug 2002 21:27:34 -0400
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA11192; Fri, 30 Aug 2002 21:25:56 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g7V1Qno03540; Fri, 30 Aug 2002 21:26:49 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g7V1P9o03479 for <cfrg@optimus.ietf.org>; Fri, 30 Aug 2002 21:25:09 -0400
Received: from mail-green.research.att.com (mail-green.research.att.com [135.207.30.103]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA11147 for <cfrg@ietf.org>; Fri, 30 Aug 2002 21:23:29 -0400 (EDT)
Received: from postal.research.att.com (postal.research.att.com [135.207.23.30]) by mail-green.research.att.com (Postfix) with ESMTP id 454681E073; Fri, 30 Aug 2002 21:24:09 -0400 (EDT)
Received: from berkshire.research.att.com (postal.research.att.com [135.207.23.30]) by postal.research.att.com (8.8.7/8.8.7) with ESMTP id VAA02000; Fri, 30 Aug 2002 21:24:05 -0400 (EDT)
Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 66AA27B5E; Fri, 30 Aug 2002 19:31:16 -0400 (EDT)
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
From: "Steven M. Bellovin" <smb@research.att.com>
To: Alex Alten <Alten@attbi.com>
Cc: "David A. Mcgrew" <mcgrew@cisco.com>, cfrg@ietf.org, "Ran Canetti" <canetti@watson.ibm.com>
Subject: Re: [Cfrg] RE: Where's the beef?
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 30 Aug 2002 19:31:16 -0400
Message-Id: <20020830233116.66AA27B5E@berkshire.research.att.com>
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>

In message <3.0.3.32.20020830130541.01915860@mail>, Alex Alten writes:
>David,
>
>At 12:39 PM 8/30/2002 -0700, David A. Mcgrew wrote:
>>>
>>> You side-stepped my budget question.  So I assume no money is available.
>>
>
>No.  I disagree.  Anything serious must go through very thorough "private"
>review first.  You cannot put stuff out publicly until you are sure it 
>will fly from a crypto/security point of view.  Otherwise you will damage
>our reputation to the point that you might as well disband.
>
>To me "private" means we have the best cryptanalysts possible review our
>RFCs before we put them out for public review (say a couple of months 
>before first call).  Unless the various RG members have the credentials
>(only 2-3 are probably needed per type of RFC) AND are willing to sign
>the review, you *will* have to pay for this type of review, and it is not
>cheap (although the best are not the most expensive).  In any case it is
>good professional form to have neutral 3rd parties review them, our RG
>members will probably develop biases while working on or discussing a
>technology/RFC.

Alex, if I recall correctly you've made this proposal before -- and 
were told that (a) the IETF doesn't work that way (b) the IETF doesn't 
want to work that way, (c) we think that we do a good job nevertheless, 
and (d) the openness of our process makes it easier to attract the 
attention of many different experts -- which has, in fact, happened in 
the past.  

Putting on my Security AD hat, I can say quite unequivocally that I 
have no budget for "expert reviews" of any sort.  Nor do I feel the 
need for one.

As for "private review" before first call -- no one thinks that 
anyone's random, first thoughts should be published as an RFC, or even
as an I-D.  Most I-Ds, even -00s, are the product of a fair amount of 
thought and work before they're even submitted for the first time.  And 
we have a lot of review after that, by bodies we call "working groups".

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)


_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg