Re: [saag] CFRG, CFRG crypto review panel and IETF consensus
Paul Wouters <paul.wouters@aiven.io> Sat, 20 April 2024 00:43 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62B4EC14F702 for <saag@ietfa.amsl.com>; Fri, 19 Apr 2024 17:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XtO90ePzH8IQ for <saag@ietfa.amsl.com>; Fri, 19 Apr 2024 17:43:02 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A946C14F5F4 for <saag@ietf.org>; Fri, 19 Apr 2024 17:43:02 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-a5565291ee7so296515666b.2 for <saag@ietf.org>; Fri, 19 Apr 2024 17:43:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1713573780; x=1714178580; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TaqMk561kPNTubgCMZ+VUyj3IZMjYxEi+g+FE422Wvs=; b=XYsP9o+gBVeBgxI2dYYutxWAHCV+jNZb0LCxCJ9EBA8Z2cIN9sfjKS4yrAtkhQkKIV U/G4Gr3iOF5b7CooA13DGrf5/NT0W3hjSxwH6WBbZrGOG+6xArWPjr3OSRJ+vRa7uTBg Jc3zcWDwfes/v8DtkWXYxjzYqDLQ3pDVH5JBI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713573780; x=1714178580; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TaqMk561kPNTubgCMZ+VUyj3IZMjYxEi+g+FE422Wvs=; b=pUwtxdGraDs3goV9/YOmM+k1yWEAgsbY2jwIp33wNqaRjlnDxCoWBl0ti1KQjIOgGh 0qK5jWdsPru3m10hA3/ZegOM7Ttuz8ynEjp52GTZL+UMmRjWxeYLocI6zhUm7si7KIbh J7A6nsuePKqiE/mXnxBFYn1Gc1DywrjgLyuS7cYHuRkhyqew/hiIsmtqu919K4AppX6p iQDVZ/fd2I/67g5RsDrsVPzz5S93dAzrMzMV5UxFp/XkNgRrtlS6hxyVMqVWL62vrOfB BlDeyxd/N9QlkeoXKuNdgLsjMdy9m1tE5ky/ZklpqtoVfw0bbApwLMIbU6WQ+RlbSmN1 CZ+w==
X-Gm-Message-State: AOJu0YzIVUwWI3Kjr9nEhp0/BtxzP5kK2bVBXmDeGV/ywAS6VWfOdQP0 tpxCZRB0lklyYtvZYYvoAOmfNk4e1NBLX2VgOBDuU63yVUrySPsN4fBqnKkBByEPQ0OuS9L3LvA h78176ajLFALBua9o3cOUJb2HPyF1dp1+s05AqRdEkINMzNmmJcc=
X-Google-Smtp-Source: AGHT+IHw8b+GyREzFUBhC8kdXbTGK07CLLgvhiwGdmu2kxscMM6SX3jPgavuKNdHAF7fUocUSMCQwUrfA+MPx4Mtd8g=
X-Received: by 2002:a17:906:6092:b0:a52:387b:8391 with SMTP id t18-20020a170906609200b00a52387b8391mr2173527ejj.34.1713573780111; Fri, 19 Apr 2024 17:43:00 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cn_G=aAB_XdNrEoxfdPkKucjC4RRvNhtns=zR7bUuvYLQ@mail.gmail.com>
In-Reply-To: <CACsn0cn_G=aAB_XdNrEoxfdPkKucjC4RRvNhtns=zR7bUuvYLQ@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Fri, 19 Apr 2024 20:42:48 -0400
Message-ID: <CAGL5yWYcFid=5HMwWgXfa7GCJhvTsWOgcNSPwXMkbycN7=j=Nw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000075dc5706167c7cf8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ooxMtXaWqRTUHoXFnmDF7mjPLKY>
Subject: Re: [saag] CFRG, CFRG crypto review panel and IETF consensus
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Apr 2024 00:43:06 -0000
On Thu, Apr 18, 2024 at 1:18 PM Watson Ladd <watsonbladd@gmail.com> wrote: > Dear SAAG, > > I am quite confused about how the relation between IETF work and CFRG > work and the crypto review panel is supposed to work. The IESG, IAB and the ISE are hoping to clear this up. In the SSH > NTRUPrime discussion it appears that a negative report from the crypto > review panel is reason not to standardize an algorithm choice or > register it in the IETF space for a protocol It was me as Security Area Director, not choosing to "AD Sponsor" a new algorithm. This is not about "IETF standardization". It was one of the inputs leading to my decision. Note that a more regular way of getting a new algorithm into a protocol is for a BoF and then Working Group to take on such work. The WG would hopefully also take the opinion of CFRG into account. Various IETF protools have a RECOMMENDED value that typically would only be set for algorthms that have very broad consensus from the IESG (and IRTF). Note that in this case SSH has a tweak of this, as it only has an "OK to implement" field. This was one other input in my decision, as I could not AD Sponsor this with a RECOMMENDED set to NO, and I felt specifying NTRUprime as an AD Sponsored RFC would be misinterpreted as to what the consensus on recommended status was. Note also that I was never preventing NTRUprime from getting a code point allocated in the SSH IANA Key Type registry, so I was not blocking the deployment of NTRUprime within the IETF namespace. I don't recall this being the way things used to work, and I think its > had very negative effects on the way the CFRG functions, as well as > stretching the IETF/IRTF distinction beyond the breaking point. What are those negative effects this SSH discussion caused? I agree in general with you, which for example can be seen by how many types the HPKE RFC is references as a DOWN REF due to it being an IRTF and not IETF document. > Simply > put having knock out contests like we did for curves and PAKES, > combined with an endless series of reviews and last calls creates some > very adversarial debates and raises tensions and hampers cooperation. > Right. I guess part of that is that the CFRG should ideally be one step away from the implementers of the algorithms, but what we are seeing is a lot of of them spearheading their own algorithms. This makes it harder for the CFRG as a community to be seen as a more independent evaluator of the wider (outside IETF) cryptographic community. > It also moves away from the running code part and rough consensus: if > a group of people have made choices that work for them, we now make > ourselves irrelevant by saying no Again, this is incorrect. The IETF did not say no to NTRUprime for SSH. A code point was requested and the Designated Experts of the SSH registry approved it. I cannot yet point to the email audit trail here because the ssh-reg-review@ietf.org was not properly working when the request was made and approved, but this is being addressed and backfilled. > rather than trying to accommodate > their concerns. The CFRG review panel is not well placed to have these > conversations as it knows nothing of the broader context and has very > limited interaction with the proposal. > It is still the best we have. It is better than a single AD listening to a single author of an algorithm to make a decision. It also puts the CFRG into a place where it is making standardization > choices that properly being to the IETF, and not even the CFRG but a > subpanel. This is also not correct. It did not make a decision. It advised an AD, whom made a decision on a specific process path to an RFC that is a non-standard, exceptional path. AD Sponsoring is not the standard method for getting a cryptographic algorithm standardized in the IETF, especially because the we would like to discuss these in the wider IETF/IRTF communities. > This isn't to say that we should abandon security examination of > proposed algorithms, but it's pretty clear that we have treated > cryptographic primitives very differently in ways that undermine core > principles of the IETF process. > I guess I do not support this conclusion. The path that should have been followed for something like NTRUprime should be similar to the one followed by "ChaCha20 and Poly1305 for IETF Protocols". See https://datatracker.ietf.org/doc/draft-irtf-cfrg-chacha20-poly1305/history/ Note that if you are worried about the CFRG backlog, adding additional algorithms for evaluation for IETF usage should be carefully considered. Based on my personal information gathering, those resources are perhaps not best spend on NTRUprime at this point in time (and yes I understand not everyone agrees). SSH was one of the last IANA registries we fixed a few months ago to be able to get new code points without needing RFCs. So if anything, we have lately _improved_ our process to allow people to run whatever crypto they want to run. The IETF is not blocking anyone from using their favourite cryptography within IETF protocols. The value of an RFC comes from the IETF/IRTF communities and their careful considerations, consensus forming, operational experience and maintenance of the specifications defined. That having an RFC number can act as a status symbol for nation states, algorithm authors, enterprises, competitions and others, and that vendors use RFC numbers to allocate their own limited engineering capabilities is unfortunate. RFCs have a cost and as you have seen, resources within the IETF and IRTF are limited. Choices need to be made and we try to have community processes to steer this while being flexible enough to cater to exceptions. The goal of the IETF is to make the internet work better. RFCs are just one part of that. Again, stay tuned for the IESG, IAB and ISE trying to bring more clarity to the specific processes related to cryptography. Paul -- bad type setting is solely the fault of gmail :)
- [saag] CFRG, CFRG crypto review panel and IETF co… Watson Ladd
- Re: [saag] CFRG, CFRG crypto review panel and IET… Stephen Farrell
- Re: [saag] CFRG, CFRG crypto review panel and IET… Salz, Rich
- Re: [saag] CFRG, CFRG crypto review panel and IET… Deb Cooley
- Re: [saag] CFRG, CFRG crypto review panel and IET… Salz, Rich
- Re: [saag] CFRG, CFRG crypto review panel and IET… Deb Cooley
- Re: [saag] CFRG, CFRG crypto review panel and IET… Eric Rescorla
- Re: [saag] CFRG, CFRG crypto review panel and IET… Stephen Farrell
- Re: [saag] CFRG, CFRG crypto review panel and IET… Eric Rescorla
- Re: [saag] CFRG, CFRG crypto review panel and IET… Stephen Farrell
- Re: [saag] CFRG, CFRG crypto review panel and IET… S Moonesamy
- Re: [saag] CFRG, CFRG crypto review panel and IET… Simon Josefsson
- Re: [saag] CFRG, CFRG crypto review panel and IET… Paul Wouters
- Re: [saag] CFRG, CFRG crypto review panel and IET… Watson Ladd
- Re: [saag] CFRG, CFRG crypto review panel and IET… Eliot Lear
- Re: [saag] CFRG, CFRG crypto review panel and IET… Salz, Rich
- Re: [saag] CFRG, CFRG crypto review panel and IET… Paul Wouters
- Re: [saag] CFRG, CFRG crypto review panel and IET… Yoav Nir
- Re: [saag] CFRG, CFRG crypto review panel and IET… Michael Richardson
- Re: [saag] CFRG, CFRG crypto review panel and IET… Michael StJohns
- Re: [saag] CFRG, CFRG crypto review panel and IET… Melinda Shore
- Re: [saag] CFRG, CFRG crypto review panel and IET… Watson Ladd