IETF Logo Mail Archive

Re: [saag] CFRG, CFRG crypto review panel and IETF consensus

Watson Ladd <watsonbladd@gmail.com> Sat, 20 April 2024 02:07 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3A3C169410 for <saag@ietfa.amsl.com>; Fri, 19 Apr 2024 19:07:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HvQo0qSbh4rN for <saag@ietfa.amsl.com>; Fri, 19 Apr 2024 19:07:22 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13CADC16940F for <saag@ietf.org>; Fri, 19 Apr 2024 19:07:22 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-346f4266e59so1778204f8f.3 for <saag@ietf.org>; Fri, 19 Apr 2024 19:07:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713578840; x=1714183640; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sCPZj5QcxMJuFH3tBDxs4cs4yfTvBmEScUm7uUOFxO8=; b=jD2p0O3HWXHDnXyWEakfciHrJgWjVs7MqslixtRU9oJe/eBmvUujj38ZEKxHOuQHFn PjEs7mobxKkmP78nGV+hXl5cwMqemyLHQXddEQMZFFW1x8zNONWu2KOSkTPC/vmOVk5S mUL/yTHXTBdqfI2s3mAtmLCVNfu/ODrMKqP7FR0Ek+twraqVGp70kCG+HV6NeYLQuNR2 ruL8vm5CWNkI0b85LBQWhJgT6eCgjuQ+dQUDatxuiBCdUSm8Z/Kt08IKpkhkphE0X8RY T3y+jdfiHt9n1IVGl7K6Iz1aY8ekBLXIxJQ5+KDDlv56C13rpv23PaXSLNw4/aJKg1fh zpYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713578840; x=1714183640; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sCPZj5QcxMJuFH3tBDxs4cs4yfTvBmEScUm7uUOFxO8=; b=eNcyCt35sRm+h/JeT533LxMcGu9h6wiwVsluEUl/Cbz1+Z5ACWZxS8QBBawuBRo1iO 6R/ZOUrbhyriRN6Z8E0F7xJMozl/DH//bcqFrVx+MkQpng2oQJI+kcmS0Sf1B+T+94YT zGh3+rXTDKn3jXk1l6g3RSfDaGNz67QUnRBtU1MuPTfI1AA9fQBIarTznxpPZ2MFqr7Y m4Nyd2eaCXP2nzwcoC27JvbGesHwgUK5NaJHNMUsMmcTbZuAKqGCpR7OUsGq3hJ6GX2H aHtpVyx5VPEVrpMikMAx0hBg3NuXf/cJWbtL8CpsOD1LX8Zb6HwG3ljWjSqdR4yauLAw m7sg==
X-Gm-Message-State: AOJu0YzSAVAFXuhdk8nrZ542vOXf/LVw1tWKCFnRvOgr1/ZJIr6PJyE4 aEWf3ZWX5u7w6qfd3lo+MpxkRm4hPlYOysmD49jjY2M6STuHiNTLNSabcUVXGISn8W/31XbA/er tFD3+ocYQGEUau8g7BSA6/e0avQY=
X-Google-Smtp-Source: AGHT+IGAV2DPvT0YshdVudSpJ3wZkOkyQ4gJA1ARsql3/pfgW6s1cuM7Z5J2DiGWHYjTW27PqzG4X0Hotzrrq39veLM=
X-Received: by 2002:a5d:514c:0:b0:34a:6a6b:e6eb with SMTP id u12-20020a5d514c000000b0034a6a6be6ebmr1698393wrt.25.1713578839685; Fri, 19 Apr 2024 19:07:19 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cn_G=aAB_XdNrEoxfdPkKucjC4RRvNhtns=zR7bUuvYLQ@mail.gmail.com> <CAGL5yWYcFid=5HMwWgXfa7GCJhvTsWOgcNSPwXMkbycN7=j=Nw@mail.gmail.com>
In-Reply-To: <CAGL5yWYcFid=5HMwWgXfa7GCJhvTsWOgcNSPwXMkbycN7=j=Nw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 19 Apr 2024 19:07:08 -0700
Message-ID: <CACsn0ckxm21Sz4Puo3Grzyu84DeL59PriXrQ6uJTo-Au+NCoPw@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: IETF SAAG <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/aRXq1EnzJXgxIJ4uSaoD4cNBpns>
Subject: Re: [saag] CFRG, CFRG crypto review panel and IETF consensus
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Apr 2024 02:07:22 -0000

On Fri, Apr 19, 2024 at 5:43 PM Paul Wouters <paul.wouters@aiven.io> wrote:
>
>
> On Thu, Apr 18, 2024 at 1:18 PM Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>> Dear SAAG,
>>
>> I am quite confused about how the relation between IETF work and CFRG
>> work and the crypto review panel is supposed to work.
>
>
> The IESG, IAB and the ISE are hoping to clear this up.

I would like to have a discussion where people who participate in the
relevent fora and draft authors can raise their concerns. Saying the
IESG, IAB and ISE are going to come on from on high to sort it doesn't
fill me with confidence. The SSH draft prompted me to write the email,
but as I've said in other emails, it isn't a great example of the
problem.

>
>
>>
>> Simply
>> put having knock out contests like we did for curves and PAKES,
>> combined with an endless series of reviews and last calls creates some
>> very adversarial debates and raises tensions and hampers cooperation.
>
>
> Right. I guess part of that is that the CFRG should ideally be one step away from the implementers of the algorithms, but what
> we are seeing is a lot of of them spearheading their own algorithms. This makes it harder for the CFRG as a community to be
> seen as a more independent evaluator of the wider (outside IETF) cryptographic community.

It's been a decade since CFRG decided to standardize a PAKE. The draft
of the contest winner (not something that IETF ever does well) that
everyone agrees is the best has taken 4 years since the contest was
held to be published. Then the SPAKE2 draft got published without a
consensus statement despite having gone through RGLC, as well as being
referenced by a Kerberos draft. CPACE, which is the winner in the
other category has likewise not been published, and the feature that
let it edge out SPAKE2 proved to be pretty problematic in the actual
writing and integration with IETF protocols. I don't think any of this
was because implementors (distinct from people who write papers) were
participating. Generally that's a positive: someone has to make the
running code after all, and groups with a tight integration between
participant and implementor do function well at the IETF.

RFC 9497, and assorted drafts took five years. Thankfully blind RSA
took a comparatively speedy 2 years. This isn't a terribly rewarding
environment for young academics, who face evaluation on similar
timescales. It's difficult to justify the effort even commercially if
it isn't really needed to get things out there.

>
> SSH was one of the last IANA registries we fixed a few months ago to be able to get new code points without needing RFCs. So if anything, we have
> lately _improved_ our process to allow people to run whatever crypto they want to run. The IETF is not blocking anyone from using their favourite cryptography
> within IETF protocols.
>
> The value of an RFC comes from the IETF/IRTF communities and their careful considerations, consensus forming, operational experience and maintenance of
> the specifications defined. That having an RFC number can act as a status symbol for nation states, algorithm authors, enterprises, competitions and others, and
> that vendors use RFC numbers to allocate their own limited engineering capabilities is unfortunate.

If vendors didn't think that they should support RFCs that were
applicable above their own proprietary extensions or alternate
standards, there wouldn't be any consensus forming worth noting. And
if standardization didn't matter to authors, people wouldn't
participate. I don't think having the RFC number is inherently
attractive enough to justify spending the sums on travel that
participants and their employers do to participate. Rather it's
because there is value in having the way things work be broadly agreed
upon and not exclude anyone that the IETF is valuable to participate
in and hence becomes the forum for operational experience and
maintenance to be shared.

OpenSSL has a policy of only adding features to TLS that have an RFC
finished, and are very reluctant to add things without a spec. So for
a large proportion of the internet, either there is an RFC or it will
never get made for the single most important cryptographic protocol.
In the case of cryptographic algorithms there are ways around it, but
for protocol features it's a challenge.

>
> RFCs have a cost and as you have seen, resources within the IETF and IRTF are limited. Choices need to be made and we try to have community processes to steer this while
> being flexible enough to cater to exceptions. The goal of the IETF is to make the internet work better. RFCs are just one part of that.
>
> Again, stay tuned for the IESG, IAB and ISE trying to bring more clarity to the specific processes related to cryptography.
>
> Paul
> --
> bad type setting is solely the fault of gmail :)

Sincerely,
Watson Ladd

-- 
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email