Re: [secdir] [Cfrg] Time to recharter CFRG as a working group? Was: Re: ISE seeks help with some crypto drafts

[Michael StJohns <msj@nthpermutation.com>]

On 3/10/2019 7:38 PM, Blumenthal, Uri - 0553 - MITLL wrote:
> I do not think CFRG should move to become a part of the IETF.
>
> While (some of) the CFRG-produced documents may be de-facto standards, 
> they aren't of the kind that IETF is expected to define, and deal with 
> somewhat different things.

My point is that the CFRG is behaving more like a WG and should be 
following WG rules and not RG rules.    The charter for the CFRG 
basically says it can bring stuff that's been published elsewhere ("... 
via Informational RFCs (in the tradition of, e.g., RFC 1321 (MD5) and 
RFC 2104 (HMAC)."), but has become the first publisher for a few things 
that weren't mere republications but involved setting on-the-wire/on 
disk formats (e.g., Curve25519 and related) that have been accepted as 
de-facto standards.  Then there's the requirements setting documents.  
If these were just math publications with the bits and bytes formats 
published in the IETF, that would be fine - but that doesn't appear to 
be what's happening.

Now Stephen is suggesting that the CFRG become the filter through which 
all crypto related things are brought to the IETF or independent 
stream.  Two things - CFRG is not in the IETF, and that's not the 
general purpose of a research group.   Rechartering the CFRG (or part of 
it) as a WG following WG rules would at least fix that problem.

A third possibility (the first was rechartering, the second was 
splitting into a IETF WG and an IRTF RG), is dual chartering the CFRG as 
both a RG and a WG. It would allow/require the group to produce actual 
standards, but also to keep on with it's more researchy tasks.

The fourth possibility is doing a better job of referring the less 
research/more practical bit and byte on the wire documents to the IETF 
rather than keeping them and also leave the filtering to the IETF groups 
such as secdispatch or saag.

Later, Mike

>
> Regards,
> Uri
>
> Sent from my iPhone
>
> On Mar 10, 2019, at 18:46, StJohns, Michael <msj@nthpermutation.com 
> <mailto:msj@nthpermutation.com>> wrote:
>
>> I’ve been wondering for a while now whether it’s time to move the 
>> CFRG over to the IETF as a working group.  Stephen’s comment on 
>> routing stuff directly to the CFRG suggests to me that it’s probably 
>> time or RSN.
>>
>>    In recent years, the CFRG has produced documents that are for lack 
>> of a better phrase de facto standards.  The rate of document 
>> production of the CFRG mimics more closely that of a WG than the 
>> other extant RGs AFAICT.   As an RG the CFRG isn’t permitted to 
>> publish standards track documents, nor is the IESG or the ISE 
>> permitted or constrained to require a conflict review on the 
>> documents the CFRG does produce.  [the latter comment is my 
>> understanding of the rules of the research stream - it may be flawed, 
>> but the purpose of RGs is supposed to be looking at futures and that 
>> by definition shouldn’t be conflicting with the nows].
>>
>> An alternative might be to charter a crypto standards WG and try to 
>> keep the CFRG focused on years out - say how the heck do we deal with 
>> the quantum apocalypse?
>>
>> Or keep the math in CFRG and the on the wire specs for using in a WG.
>>
>>
>>
>> Discuss!
>>
>> Mike
>>
>> On Sun, Mar 10, 2019 at 17:48 Stephen Farrell 
>> <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>> wrote:
>>
>>
>>
>>     PS: In case the ISE is still listening, the above is a
>>     reason why I think having CFRG produce this kind of RFC
>>     (instead of routing 'em via the ISE) would be a better
>>     plan. CFRG could (I think) likely reach better informed
>>     judgements (in the open) as to whether or not some crypto
>>     technique is really worth documenting in an RFC.
>>