A far bigger issue is "The NSA played a significant role in the origins of Extended Random. The authors of the 2008 paper on the protocol were Margaret Salter, technical director of the NSA's defensive Information Assurance Directorate, and an outside expert named Eric Rescorla."
Given Rescorla involvement with the TLS standard and Mozilla it's concerning that he declined to comment on this.
Careful with how you word this. Rescorla isn't an "outside expert"; he's been at the center of TLS standards for almost a decade now (he's also the author of SSLDump, which is/was a very useful tool). It's not hard to see why Rescorla would get roped into this: he's a standards sherpa. If you want to get some oddball extension you need for your internal systems specified, so that other systems might interoperate with yours, Rescorla is naturally the person you'd turn to.
Rescorla's name on an Internet draft is hardly an endorsement from Rescorla. I'm not sure that's how you're supposed to read any Internet standard; it happens to often be true, but it isn't always true. Sometimes those things get written with their authors holding their noses.
In the press "declined to comment" doesn't mean that the person responded "no comment", as far as I can tell. It means the person did not respond.
I've seen a few cases of press folks sending an email with a question and then going to press an hour later claiming that the addressee of the email (who happened to be 12 timezones away and asleep, as it happened) "declined to comment".
Reuters should be especially careful about how they word things, given the size of their readership and the authority people invest in their reporting.
It's also very concerning that are least 2 NSA employees working within IETF groups as far as I know, and they don't want to get rid of them. One is the one Trevor Perrin called out from the CFRG, but I remember someone else calling out another on a security blog, either months before the Snowden leaks came out or soon after.
NSA is not to be trusted in terms of security anymore, when by far their main priority these days is to undermine the security of protocols. If certain organizations don't want to get rid of them, then I can't trust that organization either. And I don't care how much of a "good guy" he is within the organization. It's probably his job to play the good guy.
Having NSA employees standardizing TLS extensions is about as surprising as having Google employees standardizing HTTP extensions. The NSA isn't just a bunch of spies; they're also the managers of the US government's crypto infrastructure.
If the USG wants to make some devices--secure phones, say--that use TLS in a weird way, but wants other devices--commercial off-the-shelf routers, say--to be able to interoperate with those devices, then the USG gets the NSA to draft a TLS extension allowing the routers to consider the behavior of the secure phone normative.
I'm maybe too naive/optimistic but I think the most likely is that he has been manipulated in co-authoring a document which by itself is innocuous but once coupled with a rigged prng might have disastrous effects.
Sure, he might be innocent, but he really needs to put out a statement clarifying what his involvement was and what he knew.
Mozilla should probably hire an independent auditor to review all of his code changes. It might be unnecessary but this seems to be a scenario where it's better to play it safe (plus always good to audit security related code).
>Sure, he might be innocent, but he really needs to put out a statement clarifying what his involvement was and what he knew.
Why does he need to do that? What benefit will it be to him? If he said he was unaware of any underhandedness would you believe him? Do you think that if he was aware that he wouldn't have signed NDAs about these things?
Well there's at least one other document coauthored by M Salter and E Rescorla [1], so the notion that Rescorla was manipulated into co-authoring the Extended Random paper has is a bit more problematic since it wasn't a one-off collaboration.
That's the TLS standard for all of Suite B, which until recently was the de facto standard way virtually all software used elliptic curve crypto. It's not exactly a sketchy RFC.
The word "collaboration" is funny here too, given how the IETF works. These people shared a mailing list. Rescorla is perhaps the most experienced person on the Internet at turning TLS WG mailing list discussions into Internet drafts. That his name would be on any number of TLS RFCs is about as surprising as seeing Mockapetris' name on a DNS RFC.
Fair enough. I'll admit my speculation is about as useless as hypothesizing Rescola was somehow manipulated by the NSA into putting his name on the extended random paper.
Given Rescorla involvement with the TLS standard and Mozilla it's concerning that he declined to comment on this.