
Response to the request to remove CFRG co-chair - jkbyc
http://article.gmane.org/gmane.ietf.irtf.cfrg/2337
======
tptacek
I wrote a short summary about what this was about a few weeks ago:

[https://news.ycombinator.com/item?id=6942145](https://news.ycombinator.com/item?id=6942145)

(Shorter: CFRG is the IETF's crypto review† board, and one of its co-chairs is
an NSA employee).

This outcome was a near-certainty, for the simple reason that nobody came up
with (or even nominated) a replacement for Igoe. IETF people have worked with
Igoe, in person, for years. He is probably a very nice, very earnest person.
Removing him from the CFRG without even having a replacement would have been
demonstratively hostile without improving the quality of the research group.

Unfortunately, despite a few threads of very solid crypto discussion on CFRG
during the Igoe debate, most of it was marked by shrill, repetitive, and often
mistaken political commentary. The mailing list had the tenor of a Wikipedia
"Articles for Deletion" debate that had been circulated on Reddit. IETF long-
timers were visibly irritated. There was also an unhelpful strain of back-and-
forth between Dan Harkins, the author of the (flawed) Dragonfly PAKE whose
CFRG endorsement started this mess, and Harkins' detractors. At times, the
whole thing looked a little petty, especially since Dragonfly is now a dead
letter anyways.

It remains weird that IETF's crypto-review board is chaired by an NSA
employee. But it doesn't have to stay that way. Igoe has been on the job for
many years now, and, from my remove, that job seems pretty thankless. What
needs to happen is for someone else to be floated as a new co-chair for the
group. I wouldn't be surprised if Igoe voluntarily stepped aside for the right
name.

† _(David McGrew, the group 's other co-chair, disputes this characterization,
but the facts on the ground seem to argue that "review board" is the CFRG
function that matters)_

~~~
salient
I propose Dan Bernstein. Now let's do this.

~~~
tptacek
You can't just do that. Bernstein has to want to do it, and agree, and if you
don't want to look silly that has to happen before his nomination is posted to
the mailing list.

~~~
salient
Yes, on second thought, DJB would probably have much more impact working in a
group that's _creating_ crypto standards rather than just reviewing other
people's proposals.

~~~
tptacek
For what it's worth: that's what he already does. For example, Bernstein is
one of the coordinators for CAESAR, the competition for new authenticated bulk
ciphers.

[http://competitions.cr.yp.to/caesar-
committee.html](http://competitions.cr.yp.to/caesar-committee.html)

~~~
jlgaddis
I think that was salient's point -- he's _already_ creating crypto standards
and he's likely better suited to that than simply reviewing other's proposals.

------
teddyh
> The IRTF and IETF have always welcomed participation by all, […]

As I wrote previously¹: “ _We have a tacit assumption that all participants
have realized that better standards (and strong crypto, more secure systems)
will lead to the betterment of all. This is the default assumption.

However, now that the U.S. government, and the NSA and its collaborators in
particular, have been _shown _to explicitly_ not _have this goal – in fact,
their goal has been to strive for_ less _secure systems and_ more difficult
_standards ­– what should be done? The logical thing to do is to exclude any
person or organization revealed to have an agenda explicitly contrary to the
group._ ”

Having an all-inclusionist policy is “Geek Social Fallacy #1”². This case
illustrates why you cannot let an inclusionist policy be all-overriding. Toxic
people and representatives of _explicitly_ adversarial organizations _cannot_
be allowed to participate in, and thereby sabotage, both the work and goodwill
of a committee.

1)
[https://news.ycombinator.com/item?id=6945314](https://news.ycombinator.com/item?id=6945314)

2)
[http://www.plausiblydeniable.com/opinion/gsf.html](http://www.plausiblydeniable.com/opinion/gsf.html)

~~~
mattlutze
There is a shadow of McCarthy's red scare in the suggestion that no NSA
affiliated people be allowed to participate.

How would you determine if a participant had affiliation? How many degrees of
separation must there be before a person is trustworthy in their neutrality?

As well, it would require an approval process for new participants, closing
the working groups. Even should the folks decide to abandon the current model
of participation, how would you determine someone new wasn't affiliated, and
who has the right to decide who is trustworthy?

It's argued often here that extreme transparency is the cure for shadowy
practices, and I don't think it gets much more transparent than group review
of any changes to any specs.

To expect that excluding publicly aligned NSA folks would solve any problem is
fool-hearty, given that it's an intelligence agency and I'm sure fully capable
of installing clandestine participants.

Therefore, I would argue that exclusion is very much an illogical choice. The
logical thing to do here would be to increase scrutiny on any changes.

(To note, this comment is not about removing the co-chair privileges from
Igoe; if the position is really as powerful as some say, yeah let someone else
do it. I'm just saying don't start suggesting people be banned from
participating).

~~~
bradleyjg
> There is a shadow of McCarthy's red scare in the suggestion that no NSA
> affiliated people be allowed to participate.

The analogy is so stretched as to be meaningless. At least as it refers to the
McCarthy portion of the Red Scare, the objectionable portion were: targeting
participation in purely domestic political groups, and falsely accusing people
of affiliations they didn't have.

It wouldn't be at all objectionable to exclude from employment with the State
Department or Army people who were actively openly affiliated with
organizations directly sponsored by the Soviet Union. (Though acting in movies
presents a different question.)

Likewise, it makes no sense for a standards group to be chaired by a person
openly and actively affiliated with an organization which has as a goal
subverting those very standards.

~~~
mattlutze
This really isn't that hard to understand:

1\. Banning persons with open affiliations encourages people to hide their
affiliation with those organizations. 2\. Then, banning persons with supposed
affiliations encourages abuse of the banning process.

------
ajays
And Trevor Perrin's response:
[http://thread.gmane.org/gmane.ietf.irtf.cfrg/2337](http://thread.gmane.org/gmane.ietf.irtf.cfrg/2337)

I concur: Kevin Igoe should resign, if nothing else then to remove the cloud
of suspicion, given the revelations of NSA sabotage.

~~~
e28eta
I have a feeling if Kevin Igoe truly has the best interests of the group in
mind, he would.

On the other hand, if his mission is to sabotage their work I think that's
much less likely to happen, particularly with Lars' support. I wonder if the
resulting increased scrutiny will cripple the working group.

~~~
rjzzleep
sorry lol, i just had a witchhunt moment. if she's a witch the place will be a
better place without her, but if she isn't she will become a martyr in the
name of god.

not exactly a fan of the nsa, and on top of that i think a lot of companies
like to spy even without the help of the nsa, but come on guys is that really
the level we're arguing on?

------
salient
Sometimes those in power can refuse to kick out others alongside them that are
in power. Friendships could've been formed etc.

So the logical conclusion is to request the removal of the CFRG chair, too,
and replace him him with someone who _will_ remove the NSA co-chair. Or just
start boycotting and ignoring everything this group is proposing from now on
in cryptography - whichever way works.

> Should we then eliminate all individuals affiliated with the NSA from
> participating?

Um - hell yes?! After all that's happened and everything NSA has been trying
to do to _undermine_ the security of the web and US infrastructure, too? Of
course the answer to that is YES! Otherwise, I personally have no trust in
everything this group or IETF on the whole, will be releasing from now on, if
that's their attitude about this.

 _International_ security standards should be created without the involvement
of spy agencies - especially when they've already been discovered to be trying
to implement hardware backdoors on multiple occasions (even in the recent UAE
satellite). NSA is _hostile_ to security and to security standards. They've
proven it already. So treat them as being hostile.

------
Loic
I have no ideas who Lars Eggert _really_ is, but the quality of the rebuttal
is very good. In such a critical field where non expert cannot understand what
is going on and where we can only _trust the experts_ , such a nice response
on a very controversial and emotionally charged topic is very appreciable.

~~~
jkbyc
I thought so too first but then I read Trevor Perrin's response to Lars
Eggert: [http://www.ietf.org/mail-
archive/web/cfrg/current/msg03778.h...](http://www.ietf.org/mail-
archive/web/cfrg/current/msg03778.html) and it seems quite clear that Eggert
failed to consider a number of important aspects, just one example from
Perrin's mail:

> So unlike the title "co-chair" might imply, and unlike in many other
> organizations, IRTF co-chairs are little more than group secretaries.

The chair is far more than a "group secretary". As RFC 2014 section 5.3
states:

""" The Research Group Chair is concerned with making forward progress in the
areas under investigation, and has wide discretion in the conduct of Research
Group business. [...] The Chair has ultimate responsibility for ensuring that
a Research Group achieves forward progress. """

------
ash
The message is easier to read it on Gmane:

[http://article.gmane.org/gmane.ietf.irtf.cfrg/2337](http://article.gmane.org/gmane.ietf.irtf.cfrg/2337)

~~~
jkbyc
It's also very readable by displaying the source code of the page.

~~~
aaronem
Or by giving the PRE element a "white-space: pre-wrap;" attribute via Firebug,
Safari Web Inspector, or your favorite equivalent.

------
colinbartlett
It's astounding to me that they are allowing him to retain his position. If
for no other reason than the message it sends. How disturbing.

------
zequel
I'm just not sure how you can ignore the fact that his employer is NSA. By
proxy, he's doing evil (at least imo).

He chooses to work for an agency that breaks the law. Do we just turn a blind
eye?

If he was answering phones there, it'd be one thing, but he's a cryptography
expert. I'd imagine he'd be only a degree or two removed from something
nefarious.

Just following orders is not an excuse if you have a conscience.

e - grammar

~~~
MichaelGG
What if he worked for local police, which help keep order around the NSA
headquarters? Or chooses to operate a US based company, sending more tax money
to fund the NSA?

At any rate, if the NSA wanted to continue to participate, they'd just hire
people not officially associated with the NSA.

------
andyjohnson0
Previous discussion:
[https://news.ycombinator.com/item?id=6942145](https://news.ycombinator.com/item?id=6942145)

