[TLS] Question regarding CFRG process

Trevor Perrin <trevp@trevp.net> Fri, 13 December 2013 00:06 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 825031AE56A for <tls@ietfa.amsl.com>; Thu, 12 Dec 2013 16:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4jnmxI1AHip for <tls@ietfa.amsl.com>; Thu, 12 Dec 2013 16:06:19 -0800 (PST)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by ietfa.amsl.com (Postfix) with ESMTP id 108AB1AE19A for <tls@ietf.org>; Thu, 12 Dec 2013 16:06:18 -0800 (PST)
Received: by mail-we0-f182.google.com with SMTP id q59so1228524wes.27 for <tls@ietf.org>; Thu, 12 Dec 2013 16:06:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :content-type; bh=gCiZEPnJ4AKEWLIP4X8+DUqu4ppnfxZMPlp3K+1Cz4o=; b=ITtsd9C3ILljlIuzEYslZgpD9lZQDacPOp8UNDrjBVeGPrlJeJjhoFDXA/+Nsv/Auo rTUOkbAh7QX3j048mTndtF5IInz/jwAmtmN65SFx3UD0jOC4JLdRCjwXy7/gB4bZZw8B /h6Bx1TeUIg2dPdGf6jXAsAOD3m2Ydc1Jf3jF610I0Y7SaGDnRgXza2zJvbDXImN+DMm Fmkqax16y4fayomY6aolLwV2buky8hYFhTqUqowxCDO1qDqWc884r2kOUMvcfgVSmfFY X5G8VfPNFS7Svggb9GtKAvT4DGb5ToPb42XoI7rgHqCI+T2jLzALMfRLRkC+M1KfxsUw 4Tqw==
X-Gm-Message-State: ALoCoQm79po+J2ytf9qc13GH9fKiT/UBxCv6oDnHDOgkoDx8gQimkDEAFQG7WtbQIBw8kjji4CPo
MIME-Version: 1.0
X-Received: by 10.194.2.108 with SMTP id 12mr9019827wjt.64.1386893172520; Thu, 12 Dec 2013 16:06:12 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Thu, 12 Dec 2013 16:06:12 -0800 (PST)
X-Originating-IP: [12.27.66.5]
Date: Thu, 12 Dec 2013 16:06:12 -0800
Message-ID: <CAGZ8ZG0qnon4CYUh+2t201aioU1sHVQT9_8CMoez_5yM=N-cCA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: cfrg@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Cc: "tls@ietf.org" <tls@ietf.org>, saag@ietf.org
Subject: [TLS] Question regarding CFRG process
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2013 00:06:22 -0000

Dear CFRG (cc: TLS, SAAG),

I'd like to understand how the CFRG decides on guidance to provide IETF WGs.

It appears the CFRG chairs provide this guidance based on their own
opinions, disregarding any feedback from the mailing list or IETF
meetings.

In particular, the CFRG chairs have repeatedly endorsed the
"Dragonfly" protocol to the TLS WG.  However, I find no evidence of
*ANY* positive feedback regarding Dragonfly in the CFRG mailing list
or meeting minutes, except from the draft's author and CFRG co-chair
Kevin Igoe.

Compared to Kevin's enthusiasm, note:
 * Respected cryptographers and security engineers like Jonathan Katz,
Adam Back, and Rene Struik expressed skepticism on the list
 * The single in-depth discussion at an IETF meeting was a string of complaints
 * Alternative proposals were made to CFRG (J-PAKE, AugPAKE).

Could the chairs please clarify how they decided to endorse Dragonfly to TLS WG?


Below is a summary of all CFRG discussion of Dragonfly.

=====

Feb 2008
 - Dan Harkins proposes early Dragonfly to CFRG
 http://www.ietf.org/mail-archive/web/cfrg/current/msg02205.html

 - Scott Fluhrer breaks it
 http://www.ietf.org/mail-archive/web/cfrg/current/msg02206.html

...

Nov 2011
 - David McGrew appoints Kevin Igoe as CFRG co-chair
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03026.html

Dec 2011
 - Dan Harkins asks CFRG to look at TLS-PWD, based on Dragonfly
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03044.html

 - Scott Fluhrer points out a problem
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03045.html

 - Adam Back questions necessity of it, and lack of security
   analysis
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03046.html

Jan 2012
 - Kevin Igoe's first email to CFRG:
   "I really like this idea & can find no problems."
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html

 - Jonathan Katz questions lack of security analysis, points out
   problems
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03052.html
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03053.html

March 2012
 - At IETF 83 CFRG meeting, concerns are raised about:
   - SPEKE patents
   - necessity of a new scheme
   - timing attacks
   - non-augmented properties
 http://www.ietf.org/proceedings/83/minutes/minutes-83-cfrg.txt

May 2012
 - Kevin Igoe points out a limitation due to "hunting-and-pecking"
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03099.html

 - Zhou Sujing and Dan have an exchange that's hard to follow.
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03115.html

July 2012
 - At IETF 84 TLS meeting (CFRG does not meet):
   - Kevin Igoe informs TLS WG, as the CFRG chair:
     "We approve of it, very clear and usable for general setting."
 http://www.ietf.org/proceedings/84/minutes/minutes-84-tls

Oct 2012
 - Kevin Igoe calls CFRG attention to Dragonfly draft-00
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03214.html

 - Jonathan Katz asks for a security proof - there is none
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03215.html
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03216.html

Dec 2012
 - Kevin Igoe calls CFRG attention to Dragonfly
   - raises timing attack issue, proposes 2 fixes, including
     rediscovery of Dan's original broken method (2008)
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03258.html

 - Rene Struik points out the error in Kevin's proposal, and
   the inefficiency of Dragonfly relative to SPEKE
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03259.html

 - Scott Fluhrer points out the error in Kevin's proposal, and
   proposes a flawed "mostly constant time" fix.  Dan and Kevin
   embrace it.
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03260.html
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03262.html
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03263.html
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03264.html
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03265.html

Feb 2013
 - draft-01 is uploaded with flawed sidechannel fix
   - also quietly fixes security issue reported by Dylan Clarke
     and Feng Hao
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03309.html
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03529.html

Apr 2013
 - Kevin Igoe mentions a last call for Dragonfly
   "The design looks mature, it addresses a real need, and no one
    has raised any issues."
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03383.html

May 2013
 - Feng Hao asks CFRG to consider J-PAKE (an alternative)
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03430.html

July 2013
 - Rene Struik points out spec bugs, raises timing attack issue
   again
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03486.html
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03489.html

 - IETF 87, CFRG meeting:
   - "The author is working on a new (and hopefully final) draft"
 http://www.ietf.org/proceedings/87/minutes/minutes-87-cfrg

Aug 2013
 - draft-02 is uploaded with modifications to "hunting-and-pecking"
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03509.html

Sep 2013
 - SeongHan Shin asks CFRG to consider AugPAKE (an alternative)
 http://www.ietf.org/mail-archive/web/cfrg/current/msg03523.html

Nov/Dec 2013
 - Joe Saloway begins TLS-PWD last call, and informs TLS WG that:
   "The underlying cryptographic protocol for TLS-PWD has been
   reviewed by the IRTF CFRG group with satisfactory results."
 http://www.ietf.org/mail-archive/web/tls/current/msg10476.html

 - Uproar on TLS WG:

   - Many object to lack of formal security analysis:
     Douglas Stebila, Uri Blumenthal, Bodo Moeller, Rene Struik,
     Watson Ladd

   - Many point out better alternatives:
     SeongHan Shin, Robert Ransom, Watson Ladd, Trevor Perrin

   - Security flaws are pointed out by Bodo Moeller and
     CodesInChaos
   http://www.ietf.org/mail-archive/web/tls/current/msg10708.html
   http://www.ietf.org/mail-archive/web/tls/current/msg10768.html

   - Rene Struik and Bodo Moeller dispute that CFRG approved this
   http://www.ietf.org/mail-archive/web/tls/current/msg10769.html
   http://www.ietf.org/mail-archive/web/tls/current/msg10812.html

 - Eric Rescorla (TLS WG chair) states:
   "we did have a verbal report back from the chair of the CFRG
   that they considered it satisfactory"
 http://www.ietf.org/mail-archive/web/tls/current/msg10819.html


Trevor