IETF Logo Mail Archive

Re: [saag] CFRG, CFRG crypto review panel and IETF consensus

Eric Rescorla <ekr@rtfm.com> Thu, 18 April 2024 20:46 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18072C14F738 for <saag@ietfa.amsl.com>; Thu, 18 Apr 2024 13:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jr9n3WXIhtfT for <saag@ietfa.amsl.com>; Thu, 18 Apr 2024 13:46:04 -0700 (PDT)
Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com [IPv6:2607:f8b0:4864:20::1135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDE1FC14F61D for <saag@ietf.org>; Thu, 18 Apr 2024 13:46:04 -0700 (PDT)
Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-61804067da0so14085687b3.0 for <saag@ietf.org>; Thu, 18 Apr 2024 13:46:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1713473164; x=1714077964; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XuwdM8QyHmANxWZ/FOmqBcgveUHyzA7DdQQ8HAKYpZk=; b=f5479d3P/7ccqkjgK1/HHyOJgsjx6eZcwKN3w22VKib4BN8oaI2k3+bPWgNde10+hw onpQd8ahSCqb4o8xIf3Kv4fYmeM6INI6bWrdx29TZEbdotwc9h6oezjSoLPcpHOL9QP5 N839e09yFTccH3OD8dBD05sslsE0cJ8qKUxb1MEx5lt1+hEWQ5Dnl+DTvef592ukIQzK F/jlL9S/OpVQmEzO6lcT7CHe6o7QpUDAwgYnCMqpJSh+5NYPH+EHCtIghK68DD1xeqJF 6/Ds5RqGn9CFrBXLHGCPCqEWWUED3d6nMFmkczoDaBr9ye4CJE7+zhaLXOvTbI2MP6+0 4iJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713473164; x=1714077964; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XuwdM8QyHmANxWZ/FOmqBcgveUHyzA7DdQQ8HAKYpZk=; b=tNfYnJRKG5AaCTL5JV/MHLDS0IlFjXignmuj5z3on7ttkak6Rmb/3LYHVCIoZ0K2dX Y8R5zqkQRA8fNjbP05/fWfImU6xv4j9SEFI3y25CShx+3qvVTHc6mRsQdTVsIhlg3885 37eGgcMFE9LObdd9UrR/uixI2VDGLDMfce3YRgObzXt8Dqx4HIZqcifUkfeK5y+IABAf tWL1EOsVqKyigM+7BvMhSpBjTZnfd93/PPMWsXDLFaNjva9DBBFYEBN0lZSpFP5OCB4E nY30gI3lgpRzMc4mPgiruHoiqiAhsUy01lXmJuwlAcpxiu5NGdjsSW2CRzZOBR5+jKGG 95fA==
X-Forwarded-Encrypted: i=1; AJvYcCWiaCOoT5jWj9RL5QgwMgBpNe/YOrGRFaCqujfYapULCZOPJSs6c2nEVTpnop+Zpcr3RpA32sJkye5s2r+N
X-Gm-Message-State: AOJu0YyzMR9QXH0TG5nLOTk918vnqFF0BipmF+SBY6OF4iB8oDq894XH fFFRRc4wJacs6xX8v24yqJiJ5wlhO5CNdMJUaqFClNjjG+ESBZXM54ZKtWLq7DpDAHE17mQieTK 7x6NCcmqTN4nWMhjpzNhGLeX8cD7RE7mv0r7ylA==
X-Google-Smtp-Source: AGHT+IEVJXziIZ5gdFNLwqi7lbNIOlv7n6uv5OTeKexv+fBy9R+3C0jLqoX+RHJlossbuz+vqnGVLAyfcN8CnkDQHq4=
X-Received: by 2002:a05:690c:c8e:b0:617:fe2a:a0aa with SMTP id cm14-20020a05690c0c8e00b00617fe2aa0aamr127534ywb.6.1713473163647; Thu, 18 Apr 2024 13:46:03 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cn_G=aAB_XdNrEoxfdPkKucjC4RRvNhtns=zR7bUuvYLQ@mail.gmail.com> <53ac606e-2c27-4fb9-a456-4787f1747406@cs.tcd.ie> <CABcZeBPFXOzvwLdO_KFfaWmQsGD8HcuO14X5aPap09rEHwi8Og@mail.gmail.com> <4362f680-59ea-4d1f-b4c0-855f34de5b6f@cs.tcd.ie>
In-Reply-To: <4362f680-59ea-4d1f-b4c0-855f34de5b6f@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 18 Apr 2024 13:45:27 -0700
Message-ID: <CABcZeBPTE161QHdR5MgazY_BqczE63qBHO6gM8vug2f188qpTg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Watson Ladd <watsonbladd@gmail.com>, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000040791b0616650f1b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/xfL5OEfzyMGZKqHQqXrSfN2Gxjw>
Subject: Re: [saag] CFRG, CFRG crypto review panel and IETF consensus
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 20:46:07 -0000

On Thu, Apr 18, 2024 at 1:25 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 18/04/2024 21:13, Eric Rescorla wrote:
> > On Thu, Apr 18, 2024 at 12:04 PM Stephen Farrell <
> stephen.farrell@cs.tcd.ie>
> > wrote:
> >
> >>
> >> Hiya,
> >>
> >> On 18/04/2024 18:18, Watson Ladd wrote:
> >>> Dear SAAG,
> >>>
> >>> I am quite confused about how the relation between IETF work and CFRG
> >>> work and the crypto review panel is supposed to work. In the SSH
> >>> NTRUPrime discussion it appears that a negative report from the crypto
> >>> review panel is reason not to standardize an algorithm choice or
> >>> register it in the IETF space for a protocol, and that this comes
> >>> without discussion of the merits and consensus among even the CFRG
> >>> participants.
> >>
> >> I agree the above has been stated as being the case and
> >> would be hugely problematic. Even a CFRG consensus that
> >> something is bad ought not by itself be sufficient reason
> >> to block the IETF, never mind a crypto panel review that
> >> wasn't a topic of discussion. It's ok that either thing
> >> is weighed in reaching a conclusion but there should be
> >> no vetoes.
> >>
> >
> > As far as I can tell this isn't "blocking the IETF".  This is an
> individual
> > submission,
> > AD sponsorship of individual drafts is entirely at AD discretion, and
> Paul
> > has
> > opted not to sponsor.
>
> I agree it's entirely up to Paul and any AD as to whether
> or not to AD sponsor a document. That wasn't what I was
> asking be clarified.
>
> To be more concrete: I think at one point Paul described the
> crypto panel review as a consensus process which it's not.
>

I don't know enough to have an opinion on this statement.



> The 2nd mis-statement was that an AD should not sponsor
> any document that had received a negative opinion from CFRG,
> which I think oversteps the bounds of IRTF/IETF interactions.
>

This doesn't seem like a misstatement but rather a position you
happen to disagree with. With that said, I think it's entirely
within the realm of discretion of an AD to choose not to sponsor
documents with negative opinions from any group of people
they trust (or, for that matter, to sponsor no documents at all).

Do you have some citation to an IETF document that says otherwise?

-Ekr





>
> I'd hope clarifying these things should be straightforward.
> (And has nothing to do with SSH.)
>
> Cheers,
> S.
>
> >
> > It would obviously be different if there were IETF consensus to form a WG
> > and publish this draft and someone were citing the CFRG as a veto point,
> > but that's not what's happening here.
> >
> > -Ekr
> >
> >
> >>
> >> I think it'd be good if this situation were clarified.
> >>
> >> Cheers,
> >> S.
> >>
> >>>
> >>> I don't recall this being the way things used to work, and I think its
> >>> had very negative effects on the way the CFRG functions, as well as
> >>> stretching the IETF/IRTF distinction beyond the breaking point. Simply
> >>> put having knock out contests like we did for curves and PAKES,
> >>> combined with an endless series of reviews and last calls creates some
> >>> very adversarial debates and raises tensions and hampers cooperation.
> >>> It also moves away from the running code part and rough consensus: if
> >>> a group of people have made choices that work for them, we now make
> >>> ourselves irrelevant by saying no rather than trying to accommodate
> >>> their concerns. The CFRG review panel is not well placed to have these
> >>> conversations as it knows nothing of the broader context and has very
> >>> limited interaction with the proposal.
> >>>
> >>> It also puts the CFRG into a place where it is making standardization
> >>> choices that properly being to the IETF, and not even the CFRG but a
> >>> subpanel. The massive backlog of documents results in part from an
> >>> extremely lengthy process even after RGLC, which I think results in
> >>> part from the higher perceived stakes.
> >>>
> >>> This isn't to say that we should abandon security examination of
> >>> proposed algorithms, but it's pretty clear that we have treated
> >>> cryptographic primitives very differently in ways that undermine core
> >>> principles of the IETF process.
> >>>
> >>> Sincerely,
> >>> Watson Ladd
> >>>
> >> _______________________________________________
> >> saag mailing list
> >> saag@ietf.org
> >> https://www.ietf.org/mailman/listinfo/saag
> >>
> >
>

v2.23.0 | Report a Bug | By Email