[Cryptography] The role of the IETF in security of the Internet: for or against the NSA? for or against the security of users of the net?

Tue Jul 22 10:12:04 EDT 2014

On Tue, Jul 22, 2014 at 3:11 AM, ianG <iang at iang.org> wrote:
> Hi Stephen,
>
> On 20/07/2014 17:54 pm, Stephen Farrell wrote:
>>
>> Hiya,
>>
>> On 20/07/14 10:18, ianG wrote:
>>> E.g., a recent case in point was a discussion on algorithmic agility
>>> which I engaged in at saag and tcpinc.  It was *expensive* ... the
>>> discussion bounced back and forth between groups, with procedure and
>>> claims of 'consensus' being used as weapons by incumbents.  I spent a
>>> lot of hours!  Which I cannot afford!  In the end, the emerging fresh
>>> anti-consensus was more or less slapped down, but it also seems that the
>>> push to encode algorithm agility into RFC got stalled.
>>
>> You may end up in the rough in that discussion, but I would point
>> out that a) you (and anyone able to talk sense:-) are free to take
>> part and
>
>
> I'd say this is a difference of perspective.  Of course, anyone who pays
> green fees and wears the right shoes is welcome to take part.  And if
> they end up being pushed out into the rough, well, no doubt that can
> happen to anyone, the rules are fair, right?

[...]

> This stinks of club politics.  No willingness to give grounds on the
> direct important issue, even though it is clearly in play in the more
> philosophical arena of saag/Russ ... seems like pushing the rebels out
> into the rough, while the local champion is eased forward.

[...]

> So, likely I won't be doing so much more.  The point against algorithm
> agility has been made, and I cannot justify more expenditure if others
> in IETF are going to outspend me, *especially* if the message is that
> politics are being used to get what is desired.
>
>
> John Kelsey's post on the 'volunteer' nature of the net is well taken,
> individual volunteers are easy to push around, and corporates can be
> focussed.  Either the IETF WGs are corporates in volunteer's clothing,
> or it's too easy for it to slide that way.
>
> How do we address this?  Well, I reckon the only answer for an
> organisation like IETF is to look to competitions with winner take all.
>  But they have to be open competitions, and the rules have to be open,
> not stacked in advance such as is happening with TCPinc.

I feel much the same, but your proposal is naive - IETF insiders are
opposed to competitions.  For example, see the discussion around TLS
1.3 process:

http://www.ietf.org/mail-archive/web/tls/current/msg11657.html

http://www.ietf.org/mail-archive/web/tls/current/msg12023.html

If I was cynical, I might say it's because competition means less
control for the leadership, and less opportunity to buy support by
letting everyone throw their pet ideas in.

If I was generous, I'd say it's because the IETF process only backs
into "competitions" when the committee process runs into hard
questions and splinters into competing camps.  Lacking decision-making
mechanisms the resulting chaos is painful, scarring, and something the
leadership has an instinct to avoid.

> (The dictator approach solves the design mess, but it doesn't solve the
> fight for power within the WG, indeed it probably makes it as bad or worse.)

At best an IETF WG *is* a small and dictatorial design group, plus a
suggestion box for random supplicants to toss ideas in.

Sometimes such a group does good, sometimes it doesn't.  But if you
want competition and meaningful alternatives you're going to have to
find that outside the process, rather than inside it.

Trevor