Weblog entry #107 for dkg
Here's the background:
The Internet Research Task Force (IRTF) is a body tasked with research into underlying concepts, themes, and technologies related to the Internet as a whole. They act as a research organization that cooperates and complements the engineering and standards-setting activities of the Internet Engineering Task Force (IETF).
The IRTF is divided into issue-specific research groups, each of which has a Chair or Co-Chairs who have "wide discretion in the conduct of Research Group business", and are tasked with organizing the research and discussion, ensuring that the group makes progress on the relevant issues, and communicating the general sense of the results back to the rest of the IRTF and the IETF.
One of the IRTF's research groups specializes in cryptography: the Crypto Forum Research Group (CFRG). There are two current chairs of the CFRG: David McGrew <firstname.lastname@example.org> and Kevin M. Igoe <email@example.com>. As you can see from his e-mail address, Kevin M. Igoe is affiliated with the National Security Agency (NSA). The NSA itself actively tries to weaken cryptography on the Internet so that they can improve their surveillance, and one of the ways they try to do so is to "influence policies, standards, and specifications".
On the CFRG list yesterday, Trevor Perrin requested the removal of Kevin M. Igoe from his position as Co-chair of the CFRG. Trevor's specific arguments rest heavily on the technical merits of a proposed cryptographic mechanism called Dragonfly key exchange, but I think the focus on Dragonfly itself is the least of the concerns for the IRTF.
I've seconded Trevor's proposal, and asked Kevin directly to step down and to provide us with information about any attempts by the NSA to interfere with or subvert recommendations coming from these standards bodies.
Below is my letter in full:
I'm aware that an abdication by Kevin (or his removal by the IETF chair) would probably not end the NSA's attempts to subvert standards bodies or weaken encryption. They could continue to do so by subterfuge, for example, or by private influence on other public members. We may not be able to stop them from doing this in secret, and the knowledge that they may do so seems likely to cast a pall of suspicion over any IETF and IRTF proceedings in the future. This social damage is serious and troubling, and it marks yet another cost to the NSA's reckless institutional disregard for civil liberties and free communication.From: Daniel Kahn Gillmor <firstname.lastname@example.org> To: email@example.com, Kevin M. Igoe <firstname.lastname@example.org> Date: Sat, 21 Dec 2013 16:29:13 -0500 Subject: Re: [Cfrg] Requesting removal of CFRG co-chair On 12/20/2013 11:01 AM, Trevor Perrin wrote: > I'd like to request the removal of Kevin Igoe from CFRG co-chair. Regardless of the conclusions that anyone comes to about Dragonfly itself, I agree with Trevor that Kevin M. Igoe, as an employee of the NSA, should not remain in the role of CFRG co-chair. While the NSA clearly has a wealth of cryptographic knowledge and experience that would be useful for the CFRG, the NSA is apparently engaged in a series of attempts to weaken cryptographic standards and tools in ways that would facilitate pervasive surveillance of communication on the Internet. The IETF's public position in favor of privacy and security rightly identifies pervasive surveillance on the Internet as a serious problem: https://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html The documents Trevor points to (and others from similar stories) indicate that the NSA is an organization at odds with the goals of the IETF. While I want the IETF to continue welcoming technical insight and discussion from everyone, I do not think it is appropriate for anyone from the NSA to be in a position of coordination or leadership. ---- Kevin, the responsible action for anyone in your position is to acknowledge the conflict of interest, and step down promptly from the position of Co-Chair of the CFRG. If you happen to also subscribe to the broad consensus described in the IETF's recent announcement -- that is, if you care about privacy and security on the Internet -- then you should also reveal any NSA activity you know about that attempts to subvert or weaken the cryptographic underpinnings of IETF protocols. Regards, --dkg
But even if we cannot rule out private NSA influence over standards bodies and discussion, we can certainly explicitly reject any public influence over these critical communications standards by members of an institution so at odds with the core principles of a free society.
Kevin M. Igoe, please step down from the CFRG Co-chair position.
And to anyone (including Kevin) who knows about specific attempts by the NSA to undermine the communications standards we all rely on: please blow the whistle on this kind of activity. Alert a friend, a colleague, or a journalist. Pervasive surveillance is an attack on all of us, and those who resist it are heroes.