[Cryptography] NSA co-chair claimed sabotage on CFRG list/group (was Re: [cryptography] ECC patent FUD revisited

Adam Back adam at cypherspace.org
Mon Jan 6 22:41:08 EST 2014 

On Sun, Jan 05, 2014 at 09:36:29AM -0000, D. J. Bernstein wrote:
>NSA's Kevin Igoe writes, on the semi-moderated cfrg at irtf.org list:
>>[...] impact the Certicom patents have on the use of newer families of
>> curves, such as Edwards curves.
>
>[...] patent FUD. [...] used to argue against switching to curves that
>improve ECC security.  Notice also the complete failure to specify any
>patent numbers---so the FUD doesn't have any built-in expiration date, and
>there's no easy way for the reader to investigate further.

I am not sure people are aware and I suppose I am going to stick my neck out
and make it my problem to draw the lists attention to it, but the co-chair
of IRTF CFRG (where Dan Bernstein forwarded the above quote from) is an NSA
employee, and there was a call to remove him from that role on the basis
that the NSA is now openly known to be sabotaging internet security
standards.  And also on the basis of several other specific complaints of
claimed likely sabotage looking back with this new information (with
implications like the above observation by DJB, but in relation to proposing
insecure changes, misrepresenting the groups opinion etc).  The claims are
all spelled out if you want to read below.

Lars who is the person who through IRTF process was to review the question,
and concluded he would leave things as they are with various justifications
quoted below by Trevor.

I support whole-heartedly what Trevor said in response (below) and I
encourge people to read it.  A bit of sunlight might help if the IAB gets
involved perhaps.  Whethere or not there is anything provable is not the
point.

The comments on this relatively long thread on CFRG got a little weird and
hard to follow motives for participants comments in places to my reading. 
Maybe several parties with different slants and motives countervailing the
public interest.  Or just rude "pragmatists" (an exceedingly dangerous
species of engineer in crypto or privacy areas in my experience).

Adam

======================================================================
Date: Mon, 6 Jan 2014 17:48:51 -0800
From: Trevor Perrin <trevp at trevp.net>
To: "cfrg at irtf.org" <cfrg at irtf.org>
Cc: IAB IAB <iab at iab.org>
Subject: Re: [Cfrg] Response to the request to remove CFRG co-chair

Hi Lars,

Thanks for considering this request.

Of course, I'm disappointed with the response.

--

I brought to your attention Kevin's record of technical mistakes and
mismanagement over a two year period, on the major issue he has
handled as CFRG co-chair.  You counted this as a single "occurrence",
and considered only the narrow question whether it is "of a severity
that would warrant an immediate dismissal".

I appreciate your desire to be fair to Kevin and give him the benefit
of the doubt.  But it would be better to consider what's best for
CFRG.  CFRG needs a competent and diligent chair who could lead review
of something like Dragonfly to a successful outcome, instead of the
debacle it has become.

--

I also raised a conflict-of-interest concern regarding Kevin's NSA
employment.  You considered this from the perspectives of:
  (A) Kevin's ability to subvert the group's work, and
  (B) the impact on RG participation.

Regarding (A), you assessed that IRTF chairs "are little more than
group secretaries" who "do not wield more power over the content of
the ongoing work than other research group participants".

That's a noble ideal, but in practice it's untrue.  Chairs are
responsible for creating agendas, running meetings, deciding when and
how to call for consensus, interpreting the consensus, and liaising
with other parties.  All this gives them a great deal of power in
steering a group's work.

You also assessed that the IETF/IRTF's "open processes" are an
adequate safeguard against NSA subversion, even by a group chair.  I'm
not sure of that.  I worry about soft forms of sabotage like making
Internet crypto hard to implement securely, and hard to deploy widely;
or tipping groups towards dysfunction and ineffectiveness.  Since
these are common failure modes for IETF/IRTF crypto activities, I'm
not convinced IETF/IRTF process would adequately detect this.


Regarding (B), you judged this a "tradeoff" between those who would
not participate in an NSA-chaired CFRG (like myself), and those
"affiliated with NSA" whom you presume we would "eliminate" from
participating.

Of course, that's a bogeyman.  No-one wants to prevent anyone else
from participating.

But the chair role is not a right given to every participant, it's a
responsibility given to those we trust.  The IETF/IRTF should not
support a chair for any activity X that has a strong interest in
sabotaging X.  This isn't a "slippery slope", it's common sense.

--

Finally, I think Kevin's NSA affiliation, and the recent revelations
of NSA sabotage of a crypto standard, raises issues you did not
consider.

You did not consider the cloud of distrust which will hang over an
NSA-chaired CFRG, and over the ideas it endorses.

You also did not consider that as the premier Internet standards
organization, the IETF/IRTF's actions here will make an unavoidable
statement regarding the acceptability of such sabotage.

We have the opportunity to send a message that sabotaging crypto
standards is unacceptable and destroys public trust in those
organizations in a way that has real consequences.  Or we send a
message that it's no big deal.

This is a political consideration rather than a technical one, but it
needs to be considered.  We're sending a message either way.

--

I understand there's no formal appeal process, but these issues are of
great importance to the IRTF and IETF, and would benefit from the
perspective IAB possesses.

I would appreciate if the IAB would consider reviewing this issue and
expressing its judgement.

Trevor

(a couple comments below)


On Sat, Jan 4, 2014 at 11:49 PM, Eggert, Lars <lars at netapp.com> wrote:
> Hi,
>
> on Dec 20, 2013, I received a request from Trevor Perrin in my role as
> IRTF Chair to consider the removal of Kevin Igoe as one of the co-chairs
> of the IRTF's Crypto Forum Research Group (CFRG).  The request stated
> several reasons for the removal:
>
> (1) That Kevin Igoe provided the only positive feedback on the "Dragonfly"
> key exchange protocol.
>
> (2) That Kevin Igoe made technical suggestions that would have weakened
> the cryptographic properties of "Dragonfly".
>
> (3) That Kevin Igoe misrepresented the CFRG opinion on "Dragonfly" to the
> IETF's TLS working group.
>
> (4) That Kevin Igoe is employed by the NSA.
>
> I have reviewed the mailing list discussion, as well as the emails that
> were sent privately. Thank you all for being candid in your feedback.
>
> David McGrew, the CFRG's other co-chair, has already posted a detailed
> timeline of events on points 1-3 to the list and concluded that the
> research group process has been followed imperfectly.  I share this
> conclusion.

Dragonfly discussions started in December 2011.  David's timeline
begins in October 2012, skipping:
  * The early critical feedback which Kevin ignored [1]
  * Kevin's "nitpicking detail" which breaks the protocol's security [2]
  * Kevin's cheerleading for a protocol whose use cases and
alternatives he made no effort to understand [3]

[1]
http://www.ietf.org/mail-archive/web/cfrg/current/msg03046.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03052.html
http://www.ietf.org/proceedings/83/minutes/minutes-83-cfrg.txt

[2]
http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html

[3]
http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html
http://www.ietf.org/proceedings/84/minutes/minutes-84-tls


[...]
> So unlike the title "co-chair" might imply, and unlike in many other
> organizations, IRTF co-chairs are little more than group secretaries.

The chair is far more than a "group secretary".  As RFC 2014 section 5.3
states:
"""
The Research Group Chair is concerned with making forward progress in
the areas under investigation, and has wide discretion in the conduct
of Research Group business.  [...] The Chair has ultimate responsibility
for ensuring that a Research Group achieves forward progress.
"""
_______________________________________________
Cfrg mailing list
Cfrg at irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

More information about the cryptography mailing list