Hacker News new | past | comments | ask | show | jobs | submit login
Response to the request to remove CFRG co-chair (gmane.org)
72 points by jkbyc on Jan 7, 2014 | hide | past | web | favorite | 34 comments



I wrote a short summary about what this was about a few weeks ago:

https://news.ycombinator.com/item?id=6942145

(Shorter: CFRG is the IETF's crypto review† board, and one of its co-chairs is an NSA employee).

This outcome was a near-certainty, for the simple reason that nobody came up with (or even nominated) a replacement for Igoe. IETF people have worked with Igoe, in person, for years. He is probably a very nice, very earnest person. Removing him from the CFRG without even having a replacement would have been demonstratively hostile without improving the quality of the research group.

Unfortunately, despite a few threads of very solid crypto discussion on CFRG during the Igoe debate, most of it was marked by shrill, repetitive, and often mistaken political commentary. The mailing list had the tenor of a Wikipedia "Articles for Deletion" debate that had been circulated on Reddit. IETF long-timers were visibly irritated. There was also an unhelpful strain of back-and-forth between Dan Harkins, the author of the (flawed) Dragonfly PAKE whose CFRG endorsement started this mess, and Harkins' detractors. At times, the whole thing looked a little petty, especially since Dragonfly is now a dead letter anyways.

It remains weird that IETF's crypto-review board is chaired by an NSA employee. But it doesn't have to stay that way. Igoe has been on the job for many years now, and, from my remove, that job seems pretty thankless. What needs to happen is for someone else to be floated as a new co-chair for the group. I wouldn't be surprised if Igoe voluntarily stepped aside for the right name.

(David McGrew, the group's other co-chair, disputes this characterization, but the facts on the ground seem to argue that "review board" is the CFRG function that matters)


> He is probably a very nice, very earnest person.

Obviously. Being a pushy jerk explicitly forcing your employer's agenda wouldn't be very fruitful and thus would be a bad job performance by an NSA employee in such position.

> Igoe has been on the job for many years now, and, from my remove, that job seems pretty thankless.

Have you seen his NSA performance reviews? :)


I propose Dan Bernstein. Now let's do this.


You can't just do that. Bernstein has to want to do it, and agree, and if you don't want to look silly that has to happen before his nomination is posted to the mailing list.


Yes, on second thought, DJB would probably have much more impact working in a group that's creating crypto standards rather than just reviewing other people's proposals.


For what it's worth: that's what he already does. For example, Bernstein is one of the coordinators for CAESAR, the competition for new authenticated bulk ciphers.

http://competitions.cr.yp.to/caesar-committee.html


I think that was salient's point -- he's already creating crypto standards and he's likely better suited to that than simply reviewing other's proposals.


"unlike in many other organizations, IRTF co-chairs are little more than group secretaries"

Assuming that's true, I think DJB has something better to do with his time than making sure the carrot cake has been ordered and unsubscribing mailing list subscribers who reported emails as spam.

Also the "keep friends close and enemies closer" as an employee of an organization that has a goal of the overthrow of the US constitution and elimination of human rights, the best place to keep the rep of an evil organization is in the public eye. So if he's mr good guy, no harm, and if we keep an eye on him, no harm, net positive to keep him in place.


> The IRTF and IETF have always welcomed participation by all, […]

As I wrote previously¹: “We have a tacit assumption that all participants have realized that better standards (and strong crypto, more secure systems) will lead to the betterment of all. This is the default assumption.

However, now that the U.S. government, and the NSA and its collaborators in particular, have been shown to explicitly not have this goal – in fact, their goal has been to strive for less secure systems and more difficult standards ­– what should be done? The logical thing to do is to exclude any person or organization revealed to have an agenda explicitly contrary to the group.

Having an all-inclusionist policy is “Geek Social Fallacy #1”². This case illustrates why you cannot let an inclusionist policy be all-overriding. Toxic people and representatives of explicitly adversarial organizations cannot be allowed to participate in, and thereby sabotage, both the work and goodwill of a committee.

1) https://news.ycombinator.com/item?id=6945314

2) http://www.plausiblydeniable.com/opinion/gsf.html


There is a shadow of McCarthy's red scare in the suggestion that no NSA affiliated people be allowed to participate.

How would you determine if a participant had affiliation? How many degrees of separation must there be before a person is trustworthy in their neutrality?

As well, it would require an approval process for new participants, closing the working groups. Even should the folks decide to abandon the current model of participation, how would you determine someone new wasn't affiliated, and who has the right to decide who is trustworthy?

It's argued often here that extreme transparency is the cure for shadowy practices, and I don't think it gets much more transparent than group review of any changes to any specs.

To expect that excluding publicly aligned NSA folks would solve any problem is fool-hearty, given that it's an intelligence agency and I'm sure fully capable of installing clandestine participants.

Therefore, I would argue that exclusion is very much an illogical choice. The logical thing to do here would be to increase scrutiny on any changes.

(To note, this comment is not about removing the co-chair privileges from Igoe; if the position is really as powerful as some say, yeah let someone else do it. I'm just saying don't start suggesting people be banned from participating).


> There is a shadow of McCarthy's red scare in the suggestion that no NSA affiliated people be allowed to participate.

The analogy is so stretched as to be meaningless. At least as it refers to the McCarthy portion of the Red Scare, the objectionable portion were: targeting participation in purely domestic political groups, and falsely accusing people of affiliations they didn't have.

It wouldn't be at all objectionable to exclude from employment with the State Department or Army people who were actively openly affiliated with organizations directly sponsored by the Soviet Union. (Though acting in movies presents a different question.)

Likewise, it makes no sense for a standards group to be chaired by a person openly and actively affiliated with an organization which has as a goal subverting those very standards.


This really isn't that hard to understand:

1. Banning persons with open affiliations encourages people to hide their affiliation with those organizations. 2. Then, banning persons with supposed affiliations encourages abuse of the banning process.


Exactly. Comparing the excluding of openly hostile entities to McCarthyism is exactly Geek Social Fallacy #1: “Ostracizers Are Evil”.


I was simply proposing the obvious step of not allowing explicitly hostile forces into a group. If the hostile forces then choose to disguise themselves, so be it. But to let them in knowing they are hostile seems stupid.

I grant you that closing mere participation by having pre-screening is probably an unworkable and too costly a step; costly in more ways than one.

I still feel we ought not let them chair the committe, though. I mean, the NSA heading a committee working on publicly available crypto? It’s an oxymoron and a contradiction in terms. It’s the fox guarding the hen house.


It's a little early to be making a slippery slope argument. This is about employees of an organization that has actively worked to subvert similar related processes.


>There is a shadow of McCarthy's red scare in the suggestion that no NSA affiliated people be allowed to participate.

Umm .. there's more than a shadow of fascist totalitarianism in the NSA. I think there is ample evidence to demonstrate that this group is destroying USA. Really!


Maybe it's more like being wary of people wearing arm-bands with swastikas?


>However, now that the U.S. government, and the NSA and its collaborators in particular, have been shown to explicitly not have this goal – in fact, their goal has been to strive for less secure systems and more difficult standards ­– what should be done? The logical thing to do is to exclude any person or organization revealed to have an agenda explicitly contrary to the group.”

it should be an obvious and routine matter for any organization/group that have a conflict of interests policy.


The usual way for conflict-of-interest policies to work is for the one whose interests are in conflict to simply recuse themselves from voting.

It is not so simple for the IETF and IRTF, since they traditionally have eschewed voting and instead opt for “rough consensus and running code”. Also, the position of the NSA is fundamentally opposed to what the CFRG is supposed to achieve, so I don’t see how a normal conflict-of-interest policy is going to help.


And Trevor Perrin's response: http://thread.gmane.org/gmane.ietf.irtf.cfrg/2337

I concur: Kevin Igoe should resign, if nothing else then to remove the cloud of suspicion, given the revelations of NSA sabotage.


I have a feeling if Kevin Igoe truly has the best interests of the group in mind, he would.

On the other hand, if his mission is to sabotage their work I think that's much less likely to happen, particularly with Lars' support. I wonder if the resulting increased scrutiny will cripple the working group.


sorry lol, i just had a witchhunt moment. if she's a witch the place will be a better place without her, but if she isn't she will become a martyr in the name of god.

not exactly a fan of the nsa, and on top of that i think a lot of companies like to spy even without the help of the nsa, but come on guys is that really the level we're arguing on?


Sometimes those in power can refuse to kick out others alongside them that are in power. Friendships could've been formed etc.

So the logical conclusion is to request the removal of the CFRG chair, too, and replace him him with someone who will remove the NSA co-chair. Or just start boycotting and ignoring everything this group is proposing from now on in cryptography - whichever way works.

> Should we then eliminate all individuals affiliated with the NSA from participating?

Um - hell yes?! After all that's happened and everything NSA has been trying to do to undermine the security of the web and US infrastructure, too? Of course the answer to that is YES! Otherwise, I personally have no trust in everything this group or IETF on the whole, will be releasing from now on, if that's their attitude about this.

International security standards should be created without the involvement of spy agencies - especially when they've already been discovered to be trying to implement hardware backdoors on multiple occasions (even in the recent UAE satellite). NSA is hostile to security and to security standards. They've proven it already. So treat them as being hostile.


I have no ideas who Lars Eggert really is, but the quality of the rebuttal is very good. In such a critical field where non expert cannot understand what is going on and where we can only trust the experts, such a nice response on a very controversial and emotionally charged topic is very appreciable.


I thought so too first but then I read Trevor Perrin's response to Lars Eggert: http://www.ietf.org/mail-archive/web/cfrg/current/msg03778.h... and it seems quite clear that Eggert failed to consider a number of important aspects, just one example from Perrin's mail:

> So unlike the title "co-chair" might imply, and unlike in many other organizations, IRTF co-chairs are little more than group secretaries.

The chair is far more than a "group secretary". As RFC 2014 section 5.3 states:

""" The Research Group Chair is concerned with making forward progress in the areas under investigation, and has wide discretion in the conduct of Research Group business. [...] The Chair has ultimate responsibility for ensuring that a Research Group achieves forward progress. """


Funny .. I think he did a lousy job. I'd call this a snow job if I ever saw one. Moved the goalposts, changed the target, and arrived at a conclusion that is not going to be popular, in order to avoid 'controversy'.

Screw controversy. Are we going to be protected by the CFRG or not? At this point, it seems likely that we are not.

Goodbye, CFRG.


I agree ... it's well-reasoned and well-writen. But gently deciding to do nothing is also the easiest thing to do and gives you the option to back-pedal later saying "more information has come to light".


The message is easier to read it on Gmane:

http://article.gmane.org/gmane.ietf.irtf.cfrg/2337


It's also very readable by displaying the source code of the page.


Or by giving the PRE element a "white-space: pre-wrap;" attribute via Firebug, Safari Web Inspector, or your favorite equivalent.


It's astounding to me that they are allowing him to retain his position. If for no other reason than the message it sends. How disturbing.


I'm just not sure how you can ignore the fact that his employer is NSA. By proxy, he's doing evil (at least imo).

He chooses to work for an agency that breaks the law. Do we just turn a blind eye?

If he was answering phones there, it'd be one thing, but he's a cryptography expert. I'd imagine he'd be only a degree or two removed from something nefarious.

Just following orders is not an excuse if you have a conscience.

e - grammar


What if he worked for local police, which help keep order around the NSA headquarters? Or chooses to operate a US based company, sending more tax money to fund the NSA?

At any rate, if the NSA wanted to continue to participate, they'd just hire people not officially associated with the NSA.





Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: