[Cfrg] Question regarding CFRG process
Trevor Perrin <trevp@trevp.net> Fri, 13 December 2013 00:06 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEE111AE19A for <cfrg@ietfa.amsl.com>; Thu, 12 Dec 2013 16:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOWJauuxINKI for <cfrg@ietfa.amsl.com>; Thu, 12 Dec 2013 16:06:19 -0800 (PST)
Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51]) by ietfa.amsl.com (Postfix) with ESMTP id 1654D1AE213 for <cfrg@ietf.org>; Thu, 12 Dec 2013 16:06:18 -0800 (PST)
Received: by mail-wg0-f51.google.com with SMTP id b13so1177493wgh.6 for <cfrg@ietf.org>; Thu, 12 Dec 2013 16:06:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :content-type; bh=gCiZEPnJ4AKEWLIP4X8+DUqu4ppnfxZMPlp3K+1Cz4o=; b=k+BUEgo6Kaqp7NL8wFLbtjxqwmeCtX3mrw88Y1zDu1KfEfTCL77j9R0jkweoHQtZNv xJlBC1o+J0c9oKeRUA2eYJWNVIgkD++8Wi56wNG8uw++R0ObYBTN7Ja6uu94bDjCWWGw lTgnA85jqjXkWollJHZn8GE9/0hwvHwGEl5baxL5BsJJsIuPHmUJlBeNGGwVQRSWaiK8 SqP115iYZT71j7jhuT8bwP+erDPWBmC3mA+PYsqm0bcx4kSt0g4KfOSq/9GSw4GIOSkf Q+Dnj+vYYqQl/9hhBER+LL95nj1178oYu+DxphyUaeXnCr8qMl4m0K6xGG4NaQcca6+Q i8Nw==
X-Gm-Message-State: ALoCoQkFG1n6YWmS0jn/m9z/XhhXQXVPFoQ0HYEkNU846s6EJLGZTy6+0y6TwWLTXxlPSEXIZxil
MIME-Version: 1.0
X-Received: by 10.194.2.108 with SMTP id 12mr9019827wjt.64.1386893172520; Thu, 12 Dec 2013 16:06:12 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Thu, 12 Dec 2013 16:06:12 -0800 (PST)
X-Originating-IP: [12.27.66.5]
Date: Thu, 12 Dec 2013 16:06:12 -0800
Message-ID: <CAGZ8ZG0qnon4CYUh+2t201aioU1sHVQT9_8CMoez_5yM=N-cCA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: cfrg@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "tls@ietf.org" <tls@ietf.org>, saag@ietf.org
Subject: [Cfrg] Question regarding CFRG process
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2013 00:06:23 -0000
Dear CFRG (cc: TLS, SAAG), I'd like to understand how the CFRG decides on guidance to provide IETF WGs. It appears the CFRG chairs provide this guidance based on their own opinions, disregarding any feedback from the mailing list or IETF meetings. In particular, the CFRG chairs have repeatedly endorsed the "Dragonfly" protocol to the TLS WG. However, I find no evidence of *ANY* positive feedback regarding Dragonfly in the CFRG mailing list or meeting minutes, except from the draft's author and CFRG co-chair Kevin Igoe. Compared to Kevin's enthusiasm, note: * Respected cryptographers and security engineers like Jonathan Katz, Adam Back, and Rene Struik expressed skepticism on the list * The single in-depth discussion at an IETF meeting was a string of complaints * Alternative proposals were made to CFRG (J-PAKE, AugPAKE). Could the chairs please clarify how they decided to endorse Dragonfly to TLS WG? Below is a summary of all CFRG discussion of Dragonfly. ===== Feb 2008 - Dan Harkins proposes early Dragonfly to CFRG http://www.ietf.org/mail-archive/web/cfrg/current/msg02205.html - Scott Fluhrer breaks it http://www.ietf.org/mail-archive/web/cfrg/current/msg02206.html ... Nov 2011 - David McGrew appoints Kevin Igoe as CFRG co-chair http://www.ietf.org/mail-archive/web/cfrg/current/msg03026.html Dec 2011 - Dan Harkins asks CFRG to look at TLS-PWD, based on Dragonfly http://www.ietf.org/mail-archive/web/cfrg/current/msg03044.html - Scott Fluhrer points out a problem http://www.ietf.org/mail-archive/web/cfrg/current/msg03045.html - Adam Back questions necessity of it, and lack of security analysis http://www.ietf.org/mail-archive/web/cfrg/current/msg03046.html Jan 2012 - Kevin Igoe's first email to CFRG: "I really like this idea & can find no problems." http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html - Jonathan Katz questions lack of security analysis, points out problems http://www.ietf.org/mail-archive/web/cfrg/current/msg03052.html http://www.ietf.org/mail-archive/web/cfrg/current/msg03053.html March 2012 - At IETF 83 CFRG meeting, concerns are raised about: - SPEKE patents - necessity of a new scheme - timing attacks - non-augmented properties http://www.ietf.org/proceedings/83/minutes/minutes-83-cfrg.txt May 2012 - Kevin Igoe points out a limitation due to "hunting-and-pecking" http://www.ietf.org/mail-archive/web/cfrg/current/msg03099.html - Zhou Sujing and Dan have an exchange that's hard to follow. http://www.ietf.org/mail-archive/web/cfrg/current/msg03115.html July 2012 - At IETF 84 TLS meeting (CFRG does not meet): - Kevin Igoe informs TLS WG, as the CFRG chair: "We approve of it, very clear and usable for general setting." http://www.ietf.org/proceedings/84/minutes/minutes-84-tls Oct 2012 - Kevin Igoe calls CFRG attention to Dragonfly draft-00 http://www.ietf.org/mail-archive/web/cfrg/current/msg03214.html - Jonathan Katz asks for a security proof - there is none http://www.ietf.org/mail-archive/web/cfrg/current/msg03215.html http://www.ietf.org/mail-archive/web/cfrg/current/msg03216.html Dec 2012 - Kevin Igoe calls CFRG attention to Dragonfly - raises timing attack issue, proposes 2 fixes, including rediscovery of Dan's original broken method (2008) http://www.ietf.org/mail-archive/web/cfrg/current/msg03258.html - Rene Struik points out the error in Kevin's proposal, and the inefficiency of Dragonfly relative to SPEKE http://www.ietf.org/mail-archive/web/cfrg/current/msg03259.html - Scott Fluhrer points out the error in Kevin's proposal, and proposes a flawed "mostly constant time" fix. Dan and Kevin embrace it. http://www.ietf.org/mail-archive/web/cfrg/current/msg03260.html http://www.ietf.org/mail-archive/web/cfrg/current/msg03262.html http://www.ietf.org/mail-archive/web/cfrg/current/msg03263.html http://www.ietf.org/mail-archive/web/cfrg/current/msg03264.html http://www.ietf.org/mail-archive/web/cfrg/current/msg03265.html Feb 2013 - draft-01 is uploaded with flawed sidechannel fix - also quietly fixes security issue reported by Dylan Clarke and Feng Hao http://www.ietf.org/mail-archive/web/cfrg/current/msg03309.html http://www.ietf.org/mail-archive/web/cfrg/current/msg03529.html Apr 2013 - Kevin Igoe mentions a last call for Dragonfly "The design looks mature, it addresses a real need, and no one has raised any issues." http://www.ietf.org/mail-archive/web/cfrg/current/msg03383.html May 2013 - Feng Hao asks CFRG to consider J-PAKE (an alternative) http://www.ietf.org/mail-archive/web/cfrg/current/msg03430.html July 2013 - Rene Struik points out spec bugs, raises timing attack issue again http://www.ietf.org/mail-archive/web/cfrg/current/msg03486.html http://www.ietf.org/mail-archive/web/cfrg/current/msg03489.html - IETF 87, CFRG meeting: - "The author is working on a new (and hopefully final) draft" http://www.ietf.org/proceedings/87/minutes/minutes-87-cfrg Aug 2013 - draft-02 is uploaded with modifications to "hunting-and-pecking" http://www.ietf.org/mail-archive/web/cfrg/current/msg03509.html Sep 2013 - SeongHan Shin asks CFRG to consider AugPAKE (an alternative) http://www.ietf.org/mail-archive/web/cfrg/current/msg03523.html Nov/Dec 2013 - Joe Saloway begins TLS-PWD last call, and informs TLS WG that: "The underlying cryptographic protocol for TLS-PWD has been reviewed by the IRTF CFRG group with satisfactory results." http://www.ietf.org/mail-archive/web/tls/current/msg10476.html - Uproar on TLS WG: - Many object to lack of formal security analysis: Douglas Stebila, Uri Blumenthal, Bodo Moeller, Rene Struik, Watson Ladd - Many point out better alternatives: SeongHan Shin, Robert Ransom, Watson Ladd, Trevor Perrin - Security flaws are pointed out by Bodo Moeller and CodesInChaos http://www.ietf.org/mail-archive/web/tls/current/msg10708.html http://www.ietf.org/mail-archive/web/tls/current/msg10768.html - Rene Struik and Bodo Moeller dispute that CFRG approved this http://www.ietf.org/mail-archive/web/tls/current/msg10769.html http://www.ietf.org/mail-archive/web/tls/current/msg10812.html - Eric Rescorla (TLS WG chair) states: "we did have a verbal report back from the chair of the CFRG that they considered it satisfactory" http://www.ietf.org/mail-archive/web/tls/current/msg10819.html Trevor
- [Cfrg] Question regarding CFRG process Trevor Perrin
- Re: [Cfrg] [saag] Question regarding CFRG process Dan Harkins
- Re: [Cfrg] [TLS] [saag] Question regarding CFRG p… Watson Ladd
- Re: [Cfrg] [TLS] [saag] Question regarding CFRG p… Dan Harkins
- Re: [Cfrg] [TLS] [saag] Question regarding CFRG p… Watson Ladd
- Re: [Cfrg] [TLS] [saag] Question regarding CFRG p… Dan Harkins
- Re: [Cfrg] [saag] Question regarding CFRG process Trevor Perrin
- Re: [Cfrg] [saag] Question regarding CFRG process Sean Turner
- Re: [Cfrg] [TLS] [saag] Question regarding CFRG p… Basil Dolmatov