Re: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 11 December 2015 16:25 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 324B51B2C07 for <cfrg@ietfa.amsl.com>; Fri, 11 Dec 2015 08:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ji90DUCtnNxp for <cfrg@ietfa.amsl.com>; Fri, 11 Dec 2015 08:25:44 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98191B2CA2 for <Cfrg@irtf.org>; Fri, 11 Dec 2015 08:25:43 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7F273BE64; Fri, 11 Dec 2015 16:25:41 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmKsFOTczmDv; Fri, 11 Dec 2015 16:25:40 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.18.60]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2188EBE51; Fri, 11 Dec 2015 16:25:37 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1449851140; bh=pvLAurNMeVTyj0ZrUs5M8K08h/JZDqpKE9uevpRnZ50=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=GBp+Zfq+XB87WWLH81Uy6ImepeiElU2XTsu30K445if8BqiAQNb49VlyPTSJXs9S1 3w8sJDlZTsiCrwm9RgwbWFWoafYAwpqXsDz+7u7Tl4vbvQUStnZokG8ag1S986BIHs V8yJi0mpVhHM06f4mAqnVMOyugS1F2QVwiv7BSXg=
To: "Salz, Rich" <rsalz@akamai.com>, Simon Josefsson <simon@josefsson.org>
References: <5668D26F.2020200@cs.tcd.ie> <5668D7A3.1070103@cs.tcd.ie> <876105koj1.fsf@latte.josefsson.org> <50580c044b254c64a0ba0971bef77ce8@usma1ex-dag1mb1.msg.corp.akamai.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <566AF8FF.8060206@cs.tcd.ie>
Date: Fri, 11 Dec 2015 16:25:35 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <50580c044b254c64a0ba0971bef77ce8@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/uIJmKKXRn3dr2waaYizYAnpyCA0>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>, Nevil Brownlee <rfc-ise@rfc-editor.org>
Subject: Re: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2015 16:25:46 -0000

Hi Simon, Rich,

On 11/12/15 16:16, Salz, Rich wrote:
>> Wouldn't it make more sense for the CFRG to work on a document that said
>> that vanity algorithms (state-sponsored or not) are harmful to Internet
>> security, and should not be published as RFCs at all?
> 
> Isn't AES arguably a vanity algorithm?  What's the criteria?

Well, before you go there, I think we can agree that folks
do come along to the IETF all the time wanting their fav
algorithms usable on the Internet. And sometimes those folks
can write a law saying "you must be able to use <this>."
And that won't stop. We know already that there are some
more on the way in the not too distant future.

Now, even if we don't like that or consider it a good idea,
I don't think we can fully ignore it (much as I'd like it
if we could).

So the suggestion here is to try ensure that we're not as
open to doing the wrong thing as we might otherwise be nor
as perhaps some other venues still are.

Of course, none of this means that we would ever want any such
algorithm as MTI for one of our standards, and indeed Rich has
promised us a draft along those lines (which I'm sure we'll
see popping out soon:-). That draft though is better off
being an IETF BCP and not a CFRG product. (I'll be sure to
get feedback here though.)

S.