RESPONSE TO APPEAL TO IAB BY MR W A SIMPSON

[Brian Carpenter <brian@ICAIR.ORG>]

This is the IAB's response to an appeal against IESG action lodged
on May 1, 1999 by William Allen Simpson. The appeal (accessible
at http://www.ietf.org/appeal ) specifically concerns the IESG's
rejection on March 1, 1999 of Mr Simpson's appeal to the IESG 
summarised in his words as

> >Pursuant to the process detailed in RFC-2026 sections 6.5.1 and 6.5.2,
> >and ultimately 6.5.3, I appeal the IESG decision to publish
> >draft-ietf-ipsec-ciph-cbc-03.txt and all documents referencing it,
> >together with the failure to publish draft-simpson-cbc-01.txt,
> >draft-simpson-desx-02.txt and draft-simpson-des3v2-03.txt (or earlier
> >versions thereof).

PROCEDURAL MATTERS

The IAB is not a court of law; in fact it has a very narrow
scope of possible action under RFC 2026 (either annul an IESG
decision and send the matter back to them, or simply make
a recommendation to the IESG). In addition to that the IAB has
the option of making suggestions about the IETF standards process.

In this case, the IAB followed as closely as possible the procedure 
adopted for previous appeals - a call for comments on the IETF list,
short speaking slots in an open hearing, and then a private
discussion within the IAB. The open hearing was held during the
Oslo meeting of the IETF, on July 15, 1999. 

Four IAB members recused themselves from decision-taking on this appeal:
Fred Baker (IESG Chair), Harald Alvestrand (IESG member at the time),
Ran Atkinson (former IPSEC WG co-chair) and Geoff Huston (Chair of the 
ISOC Board).

Prior to the hearing the IAB received written comments from Bodo Moeller,
Ozan Yigit, and requests to speak from Bill Simpson, Ted T'So,
Eric Brunner, and Donald Eastlake. All of these requests to speak
were granted, subject to a time limit of ten minutes for Mr Simpson
and five minutes for the others. Mr Simpson spoke by telephone
connected to the open hearing, since he was unable to be present
in person. Mr Simpson provided additional
detailed arguments and on-line references. Additional speakers
at the hearing were Paul Lambert and Scott Bradner.

Not being a court of law, the IAB has not responded to the appeal
point by point in detail, nor has it examined the working group
record in exhaustive detail. However we checked the record
of relevant IESG discussions. 

We have specifically not responded to Mr Simpson's claim of "plagiarism 
and misappropriating copyright" as this is clearly outside our competence.

COMMENTS ON MAJOR CLAIMS

Mr Simpson's appeal to the IAB makes the following major claims:

>  1) The decision was not timely.  The documents had already been published.
>    The RFC Editor had promised not to publish the documents until the
>    issues had been resolved.

The response from the IESG (dated March 1, 1999) to Mr Simpson's appeal
(dated October 22, 1998) was indeed delayed until about four months
after the IESG's minuted decision to approve publication of the
contested documents. However, RFC 2026 explicitly avoids setting a time
limit for the response to appeals, nor does it forbid publication of
documents during the course of an appeal, so there is no process
violation here. It does require appeal responses to be communicated
"within a reasonable period of time" which was not respected in this
case.

   Even though there was no process violation here, the IESG response
   SHOULD have been sent within a few days of the decision to reject
   the appeal.


> 2) The answers by the IESG are non-responsive; particularly to points
>    #9, #14, #15, #17, #18.  The appeal explicitly listed "other
>    documents" in its subject, and explicitly addressed issues of cross
>    reference.

The appeal was very complex but clearly centered around four specific
documents. The IESG restricted its response to those four documents,
which are the nub of the matter. We consider this restriction
reasonable and do not find the IESG's answers to be non-responsive.

> 3) The answers contain numerous false statements, unsupported by the
>    WG record.

The allegedly false statements primarily relate to spoken communications
that were not transcribed.  There is,
therefore, no basis upon which to review Mr. Simpson's claims.
We note, though, that the allegedly false statements 
concern matters which we would not expect to be on the written record.
The comments made in the open hearing confirm a continuing disagreement
about these matters between Mr Simpson and other members of the IPSEC WG.

> 4) The answer concludes with an ad hominem attack on appellant.

Since the appeal was personal in nature, it would have been hard to
respond to it in completely impersonal language.  However, the nature
of the WG and appeal processes is such that it is always easier to
arrive at reasonable and reasoned decisions if all parties involved can
maintain a spirit and tone of calm and professional discourse. That
said, it is clear that regrettable, intemperate and pejorative language
has been used over a period of years by several of the participants in
the process.

   Pejorative language SHOULD never be used in communications from WG
   chairs or IESG members.

TECHNICAL ISSUES

Technical issues are settled in the IETF by WG rough consensus as judged by
the WG chair(s). We find no process violation here, merely the fact that
Mr Simpson did not agree with the rough consensus.

On the point of key length, formal decisions in the IETF are taken according 
to RFC 2026, not by the IETF plenary. The clear preference of the Danvers 
plenary for strong keys was embodied in RFC 1984 and has certainly not
been ignored, but the mandatory requirements of a Proposed Standard
are matters in the purview of the WG and the IESG. We do not find a process 
violation here.

We agree that the sentence referring to 40 bit keys is poorly phrased and
might be subject to the misunderstanding that all cited ciphers allow 40 bit
keys, which the table shows is not the case. 

   This sentence SHOULD be clarified when RFC 2451 is next revised. In light 
   of recent technical developments, even 56 bit keys SHOULD be deprecated in 
   such a revision.

We agree that the reference to "ECB" is misleading. 

   This SHOULD be corrected, and a reference to recently published work on 
   differential cryptanalysis should be added, when RFC 2451 is next revised.

On the other technical issues raised in the appeal we see no grounds
to revisit the WG rough consensus approved by the IESG. 

   We have DECIDED not to annul the IESG decision to approve RFC 2451 as Proposed Standard. 

However, the general quality of the text of RFC 2451 is unsatisfactory.
We also note that it confuses two topics: a general framework for ESP with CBC
mode, and the specification of how certain ciphers should be used within
that framework.

   We RECOMMEND a thorough technical and editorial review of
   RFC 2451 before it is considered for advancement on the
   standards track.  We believe that significant editorial
   revision will be necessary to clarify the issues identified
   in the appeal and probably some others.  It may even be
   desirable to split the document in two. If the revision
   process alters the underlying protocol, rather than merely
   the descriptive text, the document will, of course, have to
   be recycled at Proposed Standard level rather than being
   promoted to Draft Standard. We ENCOURAGE the IESG to
   carefully consider the content and nature of changes in
   making that decision.


FREE FLOW OF TEXT AND IDEAS

As noted above we take no position on the claim of "plagiarism and
misappropriating copyright". However, we note that the long-standing
tradition in the IETF, understood by all regular participants, is the
free flow of text and ideas between drafts and RFCs, as required by
progress in the working groups.  This principle is embodied in RFC
2026, which provides (10.2) that "[n]o contribution that is subject to
any requirement of confidentiality or any restriction on its
dissemination may be considered in any part of the Internet Standards
Process ...." and  (10.3.1.1) that "to the extent that the submission
is or may be subject to copyright, the contributor ... grant[s] an
unlimited perpetual, non-exclusive, royalty-free, world-wide right and
license to the ISOC and the IETF under any copyrights in the
contribution", including the right to prepare derivative works.

Clearly such free flow requires due acknowledgment, but does not
automatically imply formal authorship. We find the acknowledgements of
Mr Simpson's contributions in the IPSEC document set to correspond
generally to the IETF tradition. We note that particpants in the
original conception of IPSEC have differing recollections about the
sequence of ideas, which we find unsurprising.

   We RECOMMEND that as and when documents in the IPSEC document set
   are revised, a careful check for all missing acknowledgements to Mr
   Simpson and others, and all missing references to earlier work,
   should be made.

We also find the multiple gradations of levels of acknowledgement in
RFC 2451 (and other IPSEC documents) to be confusing and uncalled for.

   We RECOMMEND that as and when IPSEC documents are revised, all those
   in addition to the document editor(s) should simply be acknowledged
   at the same level in alphabetical order.

In the process of reviewing this, we have better understood that some further
clarification of the IETF standards process is needed with respect to free flow of
text between documents. We intend to make a separate recommendation
to the POISSON WG about this and other matters raised by the appeal.

Finally we note that Mr Simpson has a pending request for the
publication as RFCs of draft-simpson-cbc-01.txt,
draft-simpson-desx-02.txt and draft-simpson-des3v2-03.txt which has
never been handled by the IESG. We understand that the IESG did not
wish to see them published prior to RFC 2451, but that is long past. In
our opinion these documents are now overtaken by events, but their
status needs to be resolved. In general the IESG should make clear its
position on pending documents as soon as reasonably possible.

   We RECOMMEND the IESG to make a recommendation on these drafts to
   the RFC Editor within a matter of weeks. We SUGGEST that if the
   recommendation is against publication, Mr Simpson considers
   submitting an up to date summary of his critique of the WG consensus
   for publication as an Informational RFC.


REQUEST FOR ORAL ARGUMENT

Mr. Simpson asked for the opportunity to appear before the IAB to
personally argue each point in detail.  As we observed before, the IAB
is not a court of law.  Furthermore, RFC 2026's procedures for conflict
resolution and appeals (6.5) do not call for or anticipate that the IAB
should be required to hold hearings or receive oral argument.  Although
the IAB would have discretion in an appropriate case to hold such
proceedings, we do not believe that they are necessary here.

---