IETF Logo Mail Archive

Re: [secdir] [Cfrg] Time to recharter CFRG as a working group? Was: Re: ISE seeks help with some crypto drafts

"StJohns, Michael" <msj@nthpermutation.com> Sun, 24 March 2019 10:02 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 527C012785F for <secdir@ietfa.amsl.com>; Sun, 24 Mar 2019 03:02:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4UuzQqGyn2n for <secdir@ietfa.amsl.com>; Sun, 24 Mar 2019 03:02:37 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF2CC130E79 for <secdir@ietf.org>; Sun, 24 Mar 2019 03:02:36 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id q66so5342197ljq.7 for <secdir@ietf.org>; Sun, 24 Mar 2019 03:02:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aBHHqINkO99X6L3iyRPNaWNvcb0Rkk/q5KSDYvSVm5Y=; b=TuM9y6ZwgDm8vgBOI2Q2IargMTdjzzPohD/M5/Q6KntxwuNj7DrjLdQ6QMYVKu3jRR xL/K73Q2AAW4cqqEEU8oM9QSRSh2Ua6ZnXHPhcoI1/tzPEKpmpQ6UR192WiI/BquLMuZ tIAAlqZxeICswtBuKo7ebZbRLltzkph5XMvxWgOgBcN2D8A/w0/YS/n8vfv87h6atPDv 0B4NgTaCS0Sp7Y8DJq/90ZysewXJEUZYy623n+JCaFEFMNcTEyxdUJ74Ntl+c2VaPjsQ k/VxVt9rp+jE46Dhnoel/5b4viMmYGt4Ky65DeDhiXUXQIx1MIAUDe5qMuNLl8TGloho xy/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aBHHqINkO99X6L3iyRPNaWNvcb0Rkk/q5KSDYvSVm5Y=; b=b6CHQsyojpgTffIkS//qw6bSiOgO7KT0eabpyjrI8d9ttAWugXPRZ3O4zzuEoR/60P Nr4+D++Y90pzJb+zksArywwS4d+AeZoQsrckoC1RYxQEZizXC0Q7x5gX/fv55VUlQZBm YZr47ChRLCdz7Ll/haVhxdjGvkhMCjkzMgb7MV3jVp2SVjoVxm4GxDhNE3J/E9/HIpsU 583DU7lXCtJksxYu+zogljj5IXvmv6rPzbPMQYZntdK7kWPpzOp8ZO9NonDpMfmmAIwo LBjc6avTCmpyONtiaG7ID/h6iW6vEGR9KnXxGHE90oWq3aRPCg03LsyQHtRm+VmEG4Ku dRKg==
X-Gm-Message-State: APjAAAX06CyWqORqIQ5J3qdXVoCIm/Rfyqp0byDPc3NtgsZkogk1DRzw 8wQ378E3BdYa/V4IABmQ/f8D69LGEo6PfVB8vT35og==
X-Google-Smtp-Source: APXvYqyEJMulXcx+s/ibADtJeKmFaRvgO+AsvcwFDmavZRuEBkPOMA4QhW7RUwcjjUxnjIF4Vq+7zdpJTmwOsMr190g=
X-Received: by 2002:a2e:3204:: with SMTP id y4mr9981754ljy.90.1553421754974; Sun, 24 Mar 2019 03:02:34 -0700 (PDT)
MIME-Version: 1.0
References: <1d8de489fc976b63a911573300a431d4.squirrel@www.amsl.com> <alpine.LRH.2.21.1903081227200.30421@bofh.nohats.ca> <CAHOTMVLtjVxZNy3bFRn09xH+cOw+tPi2CL3BkaQuJEqxAzGOJg@mail.gmail.com> <edca701b-21f3-c80c-d754-fc333f1e2e04@cs.tcd.ie> <20190310182935.GE8182@kduck.mit.edu> <B876B124-7EDE-4E20-A878-3AAD3FA074BC@krovetz.net> <20190310191026.GF8182@kduck.mit.edu> <CAHOTMVJcosEgYV9caWapgyzQfh-g4k5DQry5n42bEfrkJvmdWQ@mail.gmail.com> <042b3f13-7d5a-12d7-e604-9f8cad197608@cs.tcd.ie> <CANeU+ZCmiTKfE1_YgjM6GX9ZCw_35mZoT8M-6VL72UhbenT2og@mail.gmail.com> <3FA4B2DD-334E-4C7C-A01E-6C370CAE4C00@ll.mit.edu> <2935C6E3-3AE8-4447-BA01-8DAE0410E5C6@ericsson.com> <CAL02cgSeCgAOOh3oMhJZqCGvT0F=JQ6n-bmgWYU=6hxkV+aOHQ@mail.gmail.com> <0d38eabd-6f90-2d19-3b45-f1ce19ba9b73@nthpermutation.com> <CAL02cgRVXn2U3SKhGh6biTZJKmHM6KrW6D_rVB2-ZTC5Oohh4w@mail.gmail.com> <829ca608-8d47-083e-e0a6-e7276525b080@nthpermutation.com> <5D247CD2-710E-4C78-8495-085C70D4CFAB@cisco.com> <9b192f26-8c19-494f-7430-7d1ca24872a3@nthpermutation.com> <AE9AC4D7-6863-4AC5-BDE5-6B507AC9ADE6@cisco.com>
In-Reply-To: <AE9AC4D7-6863-4AC5-BDE5-6B507AC9ADE6@cisco.com>
From: "StJohns, Michael" <msj@nthpermutation.com>
Date: Sun, 24 Mar 2019 11:02:24 +0100
Message-ID: <CANeU+ZD8KEnYnmGg4aiJeYvme6MtAUN4T8CxW_K3imBCp40sUQ@mail.gmail.com>
To: mcgrew <mcgrew@cisco.com>
Cc: CFRG <cfrg@irtf.org>, "RFC ISE (Adrian Farrel)" <rfc-ise@rfc-editor.org>, Richard Barnes <rlb@ipv.sx>, secdir <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e453a70584d42fd5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/08EI4z5OqkTZhS16QzLCM_8YNyM>
Subject: Re: [secdir] [Cfrg] Time to recharter CFRG as a working group? Was: Re: ISE seeks help with some crypto drafts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 10:02:42 -0000

Sorry for the top post - it’s hard to get a coherent edit using an iPad.

Basically, you’ve confirmed what I said - that the CFRG is doing standards
like stuff, and that it just chose to do so.  I note that the change in
behavior was not accompanied by a change in the charter.  I’d expect that
going through a recharterng exercise to bring in line the documentation
with the group behavior would lend more credence to the idea that the
charter should be written for a WG.

WRT the registry - registries are usually created as a result of a
standards action and I was quite surprised to find that this one had been
created.  You used the phrase “make the specification future proof” which
again is more IETF than IRTF IMHOand suggests that the IETF should have
change control.

Later, Mike




On Tue, Mar 19, 2019 at 14:23 mcgrew <mcgrew@cisco.com> wrote:

> Hi Mike,
>
> Please see inline:
>
> > On Mar 18, 2019, at 4:43 PM, Michael StJohns <msj@nthpermutation.com>
> wrote:
> >
> > I don't understand - usually when I say "I'm fine with the status quo
> for now" people stop arguing with me.   Oh well.
> >
> > And thanks David for making some points for me.  See below.
> >
> >
> > On 3/18/2019 9:26 AM, mcgrew wrote:
> >> Hi Mike,
> >>
> >> Let me add few data points from a CFRG-historical perspective.  CFRG
> has been the first publisher of a number of specifications (for instance,
> XMSS, Poly1305, and HBS are in this category -
> https://datatracker.ietf.org/rg/cfrg/documents/) and has done essential
> review for some ISE-published crypto like UMAC (RFC 4418).
> >
> > My point was that becoming a first publisher puts the CFRG into the
> position of being the standardizer.  XMSS, Poly1305 and HBS (not yet
> published) are all 2018 and 2019 documents.  EDDSA was 2017.  In fact the
> set of documents currently attributed to the CFRG only goes back to 2014
> while the CFRG has been around a lot longer than that.  Something changed
>
> The RG shifted from discussing and reviewing independent documents towards
> producing its own documents.
>
> > and now we're getting standards-like production out of the CFRG.  Note
> that I don't think its a bad thing per se, just that you need to be
> following different rules than those that are applicable to RGs.
> >
> > For example, why does an informational document in the research stream
> need a registry?  (e.g. RFC8391)   That's about as obvious a
> standardization requirement as any I've seen in CFRG documents.
>
> The registry and the interface and extensibility it provides is essential
> to making a crypto specification future-proof. That is clearly best
> practice in cryptography, and as such is totally appropriate for the output
> of an IRTF RG document.   Some independent documents that were reviewed by
> CFRG also had registries.
>
> David
>
> >
> >>  For UMAC, it is worth noting that the ISE reviewers asked for changes
> around IPR language,
> >
> > I don't think I even recall seeing anything that wants to use UMAC - I
> may have missed a protocol or two though.  In any event, the request was to
> REMOVE claims about IPR language from the document and direct the authors
> to make a normal IPR disclosure. Again - pretty consistent with what we do
> with standards and IETF stream documents.
> >
> >> and CFRG reviewers made important improvements to the technical content
> as well (https://datatracker.ietf.org/doc/rfc4418/history/ and CFRG mail
> threads from fall 2005).  So the issues we are dealing with today are not
> really new.
> >
> > But again, that's normal for any document that comes in through any
> stream - specifically - people review it and usually irrespective of
> association with a specific WG/RG/directorate, etc.  The fact that the
> document author, the ISE and the IESG reached out the the CFRG is pretty
> much an example of looking for the experts in a pile of experts.  I'm not
> sure why this wouldn't happen if the CFRG were chartered as a WG?
> >
> >
> >>
> >> You have started a good, healthy discussion with the points that you
> have raised.  My thinking is that CFRG (including Kenny, Alexy, and the
> many contributors) is doing really good, really important work, and the
> IRTF and IETF should avoid changes that would disrupt it.
> >
> > I don't want to change the people, I don't even want to change the work
> flow (much - except that moving it to a WG would actually remove the IRTF
> from the approval process for an RFC), I just want this to be appropriately
> categorized and managed as a WG and subject to the same rules as any other
> WG.   I think its gone well past the normal rules for an RG at this point.
> >
> > Again - I've indicated my concerns and I'm happy the discussion is
> happening.  Unfortunately what I keep hearing is "we like it the way it is,
> now go and leave us alone" rather than "we're really a RG because we do
> things X, Y and Z so we really don't need to be a WG".  I'd really like to
> hear more commentary on that latter - especially how the CFRG in fact
> differs from the behavior of a WG.
> >
> > Thanks - Mike
> >
> >
> >
> >>
> >> Best,
> >>
> >> David
> >>
> >>> On Mar 15, 2019, at 2:52 PM, Michael StJohns <msj@nthpermutation.com>
> wrote:
> >>>
> >>> On 3/13/2019 7:32 AM, Richard Barnes wrote:
> >>>> Mike, are your concerns here primarily IPR related?  If that's so,
> then maybe that's the level at which we should address them, as opposed to
> flipping the bigger RG->WG switch.
> >>>>
> >>> Hi Richard -
> >>>
> >>> Like I said, I'm not going to push this at this time.  But I think its
> more than just IPR - avoiding technology because of IPR is more a symptom
> (and in fact is IETF guidance rather than IRTF policy).
> >>>
> >>> The CFRG has a unique position in that - unlike ANY other RG as far as
> I can tell - it's looked at as an immediate feeder for technology for the
> IETF.  If it were agnostically evaluating the crypto properties of any
> offered technology, I'd say we're good and I'd move on.  But, with the
> publication of Curve25519 and its related ... standards ..., the CFRG has
> moved from evaluation and re-publication of cryptographic standards
> developed and produced elsewhere into being the first publisher of what
> could only be characterized as standards, even if published as an
> Informational RFC in the IRTF stream.
> >>>
> >>> Ultimately, I think it comes down to fairness and transparency. As an
> RG, the publications of the RG are not subject to the standards appeals
> process.  In an WG, the decision not to work on an IPR encumbered
> technology (or others such as national cryptography) MAY be appealed and
> overturned (or might not) or sponsored by an AD if there's no applicable or
> agreeable WG. There's a process for showing such decisions were made
> transparently, and with a broader audience than just the CFRG having a say.
> >>>
> >>>
> >>> Later, Mike
> >>>
> >>> Ps - hmm... Note that the CFRG charter only mentions the IETF and not
> the IRTF....
> >>>
> >>> _______________________________________________
> >>> Cfrg mailing list
> >>> Cfrg@irtf.org
> >>> https://www.irtf.org/mailman/listinfo/cfrg
> >
> >
>
>

v2.23.0 | Report a Bug | By Email