[Cfrg] Requesting removal of CFRG co-chair

Trevor Perrin <trevp@trevp.net> Fri, 20 December 2013 16:01 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 297D91ADFB6 for <cfrg@ietfa.amsl.com>; Fri, 20 Dec 2013 08:01:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.722
X-Spam-Level:
X-Spam-Status: No, score=0.722 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvFBdsdftoNM for <cfrg@ietfa.amsl.com>; Fri, 20 Dec 2013 08:01:47 -0800 (PST)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) by ietfa.amsl.com (Postfix) with ESMTP id 245561ADFF6 for <cfrg@ietf.org>; Fri, 20 Dec 2013 08:01:41 -0800 (PST)
Received: by mail-wi0-f175.google.com with SMTP id hi5so8580916wib.14 for <cfrg@ietf.org>; Fri, 20 Dec 2013 08:01:38 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=Iy94m2th/2KfG12soA5YOURol78POsUnGwQ57rw+2dY=; b=HO5tAfhYo1a1ScnfFPcR8suWxexPsT1XgVc4BG8Yfin2GVqOJa2mH6ftj7R3tEyPZI jokpq2ThAn/y2jUXcrj5mnSXtE6d8ddbbYrO61F+18jm5TLlgbVz7Y3e6vBwMwQ9apoG SVZgIm7u+NZ32cZ2uyClC1EGNIzJnL6ncgHiqcM8ILy9+wM6ysGLvazHZjqV6uQDsfp/ B+kaxT4vIe9hAeSKec25Xg2xSuXqM6VecTmlDRQBqMrjDv/ieo5N9a1UmmqRfPtKiL0s YJRlYpuunoI4d0lrPrn1szRgvYqj00bOaMcWwcJTfaBZhQWuGvwhSg9UjTVRSCmWIxej utKw==
X-Gm-Message-State: ALoCoQlwEMD27jUiIVaBXUqODUylgbD2FBOhIvt8m/XcohcdqOJ2/GXV7cYUq4saNTh+dZbHuupA
MIME-Version: 1.0
X-Received: by 10.180.187.72 with SMTP id fq8mr8458409wic.26.1387555298374; Fri, 20 Dec 2013 08:01:38 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Fri, 20 Dec 2013 08:01:38 -0800 (PST)
X-Originating-IP: [199.83.223.81]
Date: Fri, 20 Dec 2013 08:01:38 -0800
Message-ID: <CAGZ8ZG2f9QHX40RcB8aajWvEfG0Gh_uewu2Rq7bQGHYNx6cOmw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: irtf-chair@irtf.org, iab@iab.org, cfrg@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [Cfrg] Requesting removal of CFRG co-chair
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2013 16:01:54 -0000

Dear IRTF Chair, IAB, and CFRG:

I'd like to request the removal of Kevin Igoe from CFRG co-chair.

The Crypto Forum Research Group is chartered to provide crypto advice
to IETF Working Groups.  As CFRG co-chair for the last 2 years, Kevin
has shaped CFRG discussion and provided CFRG opinion to WGs.

Kevin's handling of the "Dragonfly" protocol raises doubts that he is
performing these duties competently.  Additionally, Kevin's employment
with the National Security Agency raises conflict-of-interest
concerns.


Dragonfly Background
----
Dragonfly is a "Password-Authenticated Key Exchange" protocol (or
"PAKE").  Dragonfly was proposed to CFRG 2 years ago [PROPOSAL].
Compared to better-known PAKEs, Dragonfly has no security proof, a
lack of extensive security analysis, nonfunctional complications added
for IPR reasons, and some security issues [REVIEW].

Dragonfly became a hot topic recently when the TLS WG disputed CFRG's
alleged report that Dragonfly was "satisfactory", as well as disputing
that this report reflected CFRG consensus [TLS_1].  After extensive
criticism of Dragonfly, the TLS WG ceased work on a Dragonfly
extension [TLS_2].


NSA Background
----
The National Security Agency ("NSA") is a U.S. Intelligence Agency
which is believed to devote considerable resources to:
 - "Influence policies, standards and specifications for commercial
public key technologies"
 - "Shape the worldwide cryptography marketplace to make it more
tractable to advanced cryptanalytic capabilities" [BULLRUN]

While much is unknown about these activities, the NSA is known to have
placed a "back door" in a NIST standard for random number generation
[ECDRBG].  A recent report from the President's Review Group
recommends that the NSA:
 - "fully support and not undermine efforts to create encryption standards"
 - "not in any way subvert, undermine, weaken, or make vulnerable
generally available commercial software" [PRESIDENTS]

This suggests the NSA is currently behaving contrary to the recommendations.


Reasons for requesting Kevin's removal
----
1)  Kevin has provided the *ONLY* positive feedback for Dragonfly that
can be found on the CFRG mailing list or meeting minutes.  The
contrast between Kevin's enthusiasm and the group's skepticism is
striking [CFRG_SUMMARY].  It's unclear what this enthusiasm is based
on.  There's no record of Kevin making any effort to understand
Dragonfly's unusual structure, compare it to alternatives, consider
possible use cases, or construct a formal security analysis.

2)  Twice Kevin suggested a technique for deriving the Dragonfly
password-based element which would make the protocol easy to break
[IGOE_1, IGOE_2].  He also endorsed an ineffective attempt to avoid
timing attacks by adding extra iterations to one of the loops [IGOE_3,
IGOE_4].  These are surprising mistakes from an experienced
cryptographer.

3)  Kevin's approval of Dragonfly to the TLS WG misrepresented CFRG
consensus, which was skeptical of Dragonfly [CFRG_SUMMARY].

4)  Kevin's NSA affiliation raises unpleasant but unavoidable
questions regarding these actions.  It's entirely possible these are
just mistakes by a novice chair who lacks experience in a particular
sort of protocol and is being pressured by IETF participants to
endorse something.  But it's hard to escape an impression of
carelessness and unseriousness in Kevin's work.  One wonders whether
the NSA is happy to preside over this sort of sloppy crypto design.

While that's of course speculation, it remains baffling that an
experienced cryptographer would champion such a shoddy protocol.  The
CFRG chairs have been silent for months, and haven't responded to
attempts to clarify this.


Conclusion
----
The position of CFRG chair (or co-chair) is a role of crucial
importance to the IETF community.  The IETF is in desperate need of
trustworthy crypto guidance from parties who are above suspicion.  I
encourage the IAB and IRTF to replace Kevin Igoe with someone who can
provide this.

Thanks for considering this request.


Trevor


[PROPOSAL] http://www.ietf.org/mail-archive/web/cfrg/current/msg03044.html
[REVIEW] http://www.ietf.org/mail-archive/web/cfrg/current/msg03537.html
[TLS_1] http://www.ietf.org/mail-archive/web/tls/current/msg10819.html
[TLS_2] http://www.ietf.org/mail-archive/web/tls/current/msg10993.html
[BULLRUN] http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
[ECDRBG] http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/
[PRESIDENTS] http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf
[CFRG_SUMMARY] http://www.ietf.org/mail-archive/web/cfrg/current/msg03545.html
[IGOE_1] http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html
[IGOE_2] http://www.ietf.org/mail-archive/web/cfrg/current/msg03258.html
[IGOE_3] http://www.ietf.org/mail-archive/web/cfrg/current/msg03262.html
[IGOE_4] http://www.ietf.org/mail-archive/web/cfrg/current/msg03264.html