(Shorter: CFRG is the IETF's crypto review† board, and one of its co-chairs is an NSA employee).
This outcome was a near-certainty, for the simple reason that nobody came up with (or even nominated) a replacement for Igoe. IETF people have worked with Igoe, in person, for years. He is probably a very nice, very earnest person. Removing him from the CFRG without even having a replacement would have been demonstratively hostile without improving the quality of the research group.
Unfortunately, despite a few threads of very solid crypto discussion on CFRG during the Igoe debate, most of it was marked by shrill, repetitive, and often mistaken political commentary. The mailing list had the tenor of a Wikipedia "Articles for Deletion" debate that had been circulated on Reddit. IETF long-timers were visibly irritated. There was also an unhelpful strain of back-and-forth between Dan Harkins, the author of the (flawed) Dragonfly PAKE whose CFRG endorsement started this mess, and Harkins' detractors. At times, the whole thing looked a little petty, especially since Dragonfly is now a dead letter anyways.
It remains weird that IETF's crypto-review board is chaired by an NSA employee. But it doesn't have to stay that way. Igoe has been on the job for many years now, and, from my remove, that job seems pretty thankless. What needs to happen is for someone else to be floated as a new co-chair for the group. I wouldn't be surprised if Igoe voluntarily stepped aside for the right name.
† (David McGrew, the group's other co-chair, disputes this characterization, but the facts on the ground seem to argue that "review board" is the CFRG function that matters)
Obviously. Being a pushy jerk explicitly forcing your employer's agenda wouldn't be very fruitful and thus would be a bad job performance by an NSA employee in such position.
> Igoe has been on the job for many years now, and, from my remove, that job seems pretty thankless.
Have you seen his NSA performance reviews? :)
Assuming that's true, I think DJB has something better to do with his time than making sure the carrot cake has been ordered and unsubscribing mailing list subscribers who reported emails as spam.
Also the "keep friends close and enemies closer" as an employee of an organization that has a goal of the overthrow of the US constitution and elimination of human rights, the best place to keep the rep of an evil organization is in the public eye. So if he's mr good guy, no harm, and if we keep an eye on him, no harm, net positive to keep him in place.
As I wrote previously¹: “We have a tacit assumption that all participants have realized that better standards (and strong crypto, more secure systems) will lead to the betterment of all. This is the default assumption.
However, now that the U.S. government, and the NSA and its collaborators in particular, have been shown to explicitly not have this goal – in fact, their goal has been to strive for less secure systems and more difficult standards – what should be done? The logical thing to do is to exclude any person or organization revealed to have an agenda explicitly contrary to the group.”
Having an all-inclusionist policy is “Geek Social Fallacy #1”². This case illustrates why you cannot let an inclusionist policy be all-overriding. Toxic people and representatives of explicitly adversarial organizations cannot be allowed to participate in, and thereby sabotage, both the work and goodwill of a committee.
How would you determine if a participant had affiliation? How many degrees of separation must there be before a person is trustworthy in their neutrality?
As well, it would require an approval process for new participants, closing the working groups. Even should the folks decide to abandon the current model of participation, how would you determine someone new wasn't affiliated, and who has the right to decide who is trustworthy?
It's argued often here that extreme transparency is the cure for shadowy practices, and I don't think it gets much more transparent than group review of any changes to any specs.
To expect that excluding publicly aligned NSA folks would solve any problem is fool-hearty, given that it's an intelligence agency and I'm sure fully capable of installing clandestine participants.
Therefore, I would argue that exclusion is very much an illogical choice. The logical thing to do here would be to increase scrutiny on any changes.
(To note, this comment is not about removing the co-chair privileges from Igoe; if the position is really as powerful as some say, yeah let someone else do it. I'm just saying don't start suggesting people be banned from participating).
The analogy is so stretched as to be meaningless. At least as it refers to the McCarthy portion of the Red Scare, the objectionable portion were: targeting participation in purely domestic political groups, and falsely accusing people of affiliations they didn't have.
It wouldn't be at all objectionable to exclude from employment with the State Department or Army people who were actively openly affiliated with organizations directly sponsored by the Soviet Union. (Though acting in movies presents a different question.)
Likewise, it makes no sense for a standards group to be chaired by a person openly and actively affiliated with an organization which has as a goal subverting those very standards.
1. Banning persons with open affiliations encourages people to hide their affiliation with those organizations.
2. Then, banning persons with supposed affiliations encourages abuse of the banning process.
I grant you that closing mere participation by having pre-screening is probably an unworkable and too costly a step; costly in more ways than one.
I still feel we ought not let them chair the committe, though. I mean, the NSA heading a committee working on publicly available crypto? It’s an oxymoron and a contradiction in terms. It’s the fox guarding the hen house.
Umm .. there's more than a shadow of fascist totalitarianism in the NSA. I think there is ample evidence to demonstrate that this group is destroying USA. Really!
it should be an obvious and routine matter for any organization/group that have a conflict of interests policy.
It is not so simple for the IETF and IRTF, since they traditionally have eschewed voting and instead opt for “rough consensus and running code”. Also, the position of the NSA is fundamentally opposed to what the CFRG is supposed to achieve, so I don’t see how a normal conflict-of-interest policy is going to help.
I concur: Kevin Igoe should resign, if nothing else then to remove the cloud of suspicion, given the revelations of NSA sabotage.
On the other hand, if his mission is to sabotage their work I think that's much less likely to happen, particularly with Lars' support. I wonder if the resulting increased scrutiny will cripple the working group.
not exactly a fan of the nsa, and on top of that i think a lot of companies like to spy even without the help of the nsa, but come on guys is that really the level we're arguing on?
So the logical conclusion is to request the removal of the CFRG chair, too, and replace him him with someone who will remove the NSA co-chair. Or just start boycotting and ignoring everything this group is proposing from now on in cryptography - whichever way works.
> Should we then eliminate all
individuals affiliated with the NSA from participating?
Um - hell yes?! After all that's happened and everything NSA has been trying to do to undermine the security of the web and US infrastructure, too? Of course the answer to that is YES! Otherwise, I personally have no trust in everything this group or IETF on the whole, will be releasing from now on, if that's their attitude about this.
International security standards should be created without the involvement of spy agencies - especially when they've already been discovered to be trying to implement hardware backdoors on multiple occasions (even in the recent UAE satellite). NSA is hostile to security and to security standards. They've proven it already. So treat them as being hostile.
> So unlike the title "co-chair" might imply, and unlike in many other organizations, IRTF co-chairs are little more than group secretaries.
The chair is far more than a "group secretary". As RFC 2014 section 5.3 states:
The Research Group Chair is concerned with making forward progress in
the areas under investigation, and has wide discretion in the conduct
of Research Group business. [...] The Chair has ultimate responsibility
for ensuring that a Research Group achieves forward progress.
Screw controversy. Are we going to be protected by the CFRG or not? At this point, it seems likely that we are not.
He chooses to work for an agency that breaks the law. Do we just turn a blind eye?
If he was answering phones there, it'd be one thing, but he's a cryptography expert. I'd imagine he'd be only a degree or two removed from something nefarious.
Just following orders is not an excuse if you have a conscience.
e - grammar
At any rate, if the NSA wanted to continue to participate, they'd just hire people not officially associated with the NSA.