Re: [Cfrg] Requesting removal of CFRG co-chair

[John Viega <john@viega.org>]

On Mon, Dec 23, 2013 at 10:12 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:


On 12/24/2013 02:49 AM, John Viega wrote:
> Whether Mr. Igoe is using an alias or is a composite is, I think,
> irrelevant to anything other than his credentials for getting the job
> in the first place (and, I’m quite sure he’s real).
>
> I think it’s reasonable to hold the opinion that this discussion is
> silly and overhyped.  I think there’s a good chance that Mr. Igoe had
> no subversive intent whatsoever.  I also don’t see how an IRTF
> working group chair

Research group chair. Sorry to be pedantic, but we need to start
out at least understanding that the IRTF cannot produce an IETF
standard.

Actually, I do appreciate the difference, and given the nature of the discussion, I'm sorry I was sloppy on this.

> can, with high probability, subvert the process
> (though that doesn’t mean it isn’t possible).
>
> However, I would ask people who are annoyed by the discussion to
> realize that public perception is important.

I do. (But am annoyed.) I think that laziness in those who are
opposed to pervasive monitoring is as damaging as laziness in
those who think their local governments can do no wrong.

There is serious laziness in this thread so far, by which I
mean the assumption that guilt-by-association is not hugely
damaging once accepted and the level of ignorance of what is
the actual situation.

> The fact that people
> are coming out of the woodwork to comment just emphasizes that many
> people perceive this as an issue (though I don’t consider myself
> coming as out of the woodwork— I’ve been lurking for years, and have
> definitely posted a few times in the past).

I accept that people find it jarring that someone who works for
an organisation spending US$250M/yr undermining Internet security
can be an ok co-chair. However, David works for a large multinational
as do many many RG and WG chairs. I get funded by an en EU FP7
project and have in the past worked for large companies that did
get money from UK MoD and other similar customers. If you actually
think it through, then the pure who-chairs question reduces to
only being a matter of perception iff we have the level of
transparency we have. And I hope we (the IETF and IRTF) maintain
what is much more a core principle which is to not be driven by
irrational perception but to pay most attention to engineering and
science. (Whilst not being "pure" in any respect:-)

The reason the who-chairs thing reduces to perception is that
if that is not true, then our processes can be far more easily
undermined by anyone who has an axe to grind. And almost all
participants in standardisation do have some axe to grind. (I
think someone else pointed that out before as well.)

The main effect of chairs is that they either move the discussion
along well, or badly, or not at all. The only situations where a
chair can really dominate are ones where nobody really cares about
the outcome anyway. And there are (in the IETF) appeal processes
in case someone thinks stuff has gone wrong. The IRTF differs in
that respect since the IRTF doesn't do standards.

I don't disagree with any of the above.  Anyone who has done serious standards work knows that each company's perceptions of what is "best for the public" is generally tainted through the lens of what is best for that company (and hopefully its customers).  There are many bad actors in the standardization process.
 

>
> To me, the most important thing the group can do is address how it
> makes sure to protect from subversive actors.

I disagree, on the basis that I think we (IETF) have done that
for decades. More recently for IRTF, but it inherits a lot of
good IETF processes.

For me, figuring out how to mitigate pervasive monitoring is
far more important.

Well, I agree that is also very important.  But let me clarify-- I think the IETF/IRTF does a fairly good job of addressing subversive actors.  But that doesn't mean it couldn't do better.

> If we had a clear
> answer there, then I think it matters far less who the chair is,
> because we can give outside eyes a better comfort level.  I don’t
> think it’s productive to be dismissive of the concern, even if you do
> not agree.

It is fair to dismiss concerns where those appear to be based
on an impressive level of ignorance of how things actually work.
Those with such concerns should ask questions, and those would
be welcome, but baseless suppositions e.g. that some real people
are invented are just plain dumb.

I don't think that it's reasonable to expect the public to understand the processes of standards bodies.  But we should still be able to give them a concise overview that easily conveys why the public should trust us.  I think one way to address the problem in part, as I previously recommended, is to only make recommendations when there is an appropriate proof of security and additional analysis on side channel attacks.