[Cryptography] The role of the IETF in security of the Internet: for or against the NSA? for or against the security of users of the net?

[John Kelsey]

> On Jul 20, 2014, at 5:18 AM, ianG <iang at iang.org> wrote:
...

> Hence, we can suggest that IETF WGs are vulnerable to takeover by rich
> organisations.  Who would find that a ridiculous claim?  Who's voice is
> dominant in the IETF security WGs?  The large American corporations that
> pushed PKI always?  Or the many American banking customers who got
> phished because it didn't work?  Clearly, the former.  The latter can't
> afford it.

I think there's a more fundamental point that touches both on this discussion and on the earlier one about volunteers with security clearances.  A huge amount of the important stuff going on in the world right now is built on volunteer efforts and is seriously short on money.  That's not just open source software--instead it ranges from discussion on the internet[1] to Wikipedia to standards groups to art and music to journalism.  

That means that anyone with money can have an outsized effect on the world, by simply providing cash and hiring people to volunteer.  And anyone doing that can also influence what gets produced.  Volunteers provide what they want to provide, not what needs to be provided, and if you're letting your employees volunteer for something, you can definitely tell them they're not allowed to help with X, or are expected to help with Y in a way that moves what's being done in a desired direction[2].  

The natural way to avoid this is to move in the direction of the folks who know a lot about infiltration and sabotage--the community of spooks and defense contractors and such who deal with classified information.  But that ends up with a lot of really wonderful stuff not getting done.  If the barrier to entry for working on an open source software project is a background check and an intrusive set of personal questions and financial disclosures, there won't be a hell of a lot of volunteers.  (And you'll have to wonder why the people who *did* volunteer were so interested in volunteering!)  

My belief is that one of the things that makes really explosive improvements in the world to happen (like the internet) is that there aren't high barriers for new people to get involved.  The world's a better place when some nobody you've never heard of is allowed to hack together his own personal version of Unix, or invent a new programming language, or write a new editor, or do research in cryptography.  And that works when people can just get interested, start getting involved, and do useful and interesting and wonderful stuff.  That's pretty much the opposite of the kind of world we get if we go down the background check/security clearance path.  

[1] IMO, most of the most insightful discussions going on on the net about politics, society, economics, science, etc., come from bloggers (and sometimes podcasters) who are, in general, not making a living producing those discussions.  At the high end, the participants are much smarter, and the very narrow ideological bounds of US media discussions don't apply.  At the low end, of course, the discussions are stupid, but you don't have to read those.  I think it's easy to find bloggers whose commentary is much, much smarter and more insightful than the editorial and op-ed pages of the New York Times or Washington Post, for example.  

[2] Think about standards group participation for dozens of examples, ranging from getting your company's IP included in the standard to spiking a competitor's product by sticking a lot of painful extra steps into the standard.    

--John