Post AlrWMyTwM7mGPkI4FU by djb@mastodon.cr.yp.to
(DIR) More posts by djb@mastodon.cr.yp.to
(DIR) Post #AlosTMUJd7Dc7f2M8O by djb@mastodon.cr.yp.to
2024-09-09T05:41:28Z
0 likes, 0 repeats
This year IETF appointed a "Security Area Director" whose August 2024 conflict-of-interest filing lists NSA as a source of income: https://www.ietf.org/about/groups/iesg/iesg-coi-policy/ Profile says retired from NSA "with 37+ years of service in Dec 2023", still "working as a Stand-by Active Reservist at NSA".
(DIR) Post #AlrWClwQ7vRQclkNG4 by eliotlear@mastodon.social
2024-09-09T06:33:35Z
0 likes, 0 repeats
@djb Dan, you left out an important bit: "This work will continue until the end of 2024." Also, can you point to any decision you believe was incorrect?
(DIR) Post #AlrWCmr8j2oNSgHffM by djb@mastodon.cr.yp.to
2024-09-09T07:11:56Z
0 likes, 0 repeats
@eliotlear Incorrect: Sure, like trying to ram a give-control-over-SSH-to-NSA WG through IETF without answering the concerns publicly expressed by Theo de Raadt (e.g., https://mailarchive.ietf.org/arch/msg/ssh/A3gmWCryJW9VnH1A7vFPrFXxjnQ/) and others (including me). But the important point here is much simpler: giving control over any IETF/IRTF security decisions to NSA creates the appearance of a conflict of interest, ergo shouldn't happen.
(DIR) Post #AlrWCnVYIn8bU1Bwem by eliotlear@mastodon.social
2024-09-09T11:14:07Z
0 likes, 0 repeats
@djb Theo was happy with the charter and said so here https://mailarchive.ietf.org/arch/msg/ssh/574wCUIl13fNeZK7Hn6RF4gtSR8/. I am not going to enter the fray on the substance, but I think you owe those people an apology and a retraction.
(DIR) Post #AlrWCo6472LRJGH6ZM by djb@mastodon.cr.yp.to
2024-09-09T15:30:52Z
0 likes, 0 repeats
@eliotlear 1. Do you realize that you're linking to a 13 August message about the charter, and that this was before the 24 August message that I linked to where he expressed unanswered concerns about the WG? 2. Other than histrionics, do you have any comment on the conflict-of-interest problem with having an NSA employee as an IETF security-area director? 3. If you think I've said something incorrect, can you please quote the allegedly incorrect statement? Thanks in advance!
(DIR) Post #AlrWCod28SiSxVhQxM by eliotlear@mastodon.social
2024-09-09T19:26:20Z
0 likes, 0 repeats
@djb (1+3) He hasn't said "don't form a working group", and he hasn't objected to the charter. Yes, he's annoyed by the conversation. (2) Yes. Deb has far less conflict than most industry participants, as she is retiring. If the IESG applied the standard you suggest, no industry or government participant could serve, putting an end to the IETF and any industry-driven effort. That would leave who exactly?
(DIR) Post #AlrWCpN7N7ZzGRGEmu by djb@mastodon.cr.yp.to
2024-09-10T04:14:32Z
0 likes, 0 repeats
@eliotlear Your quote is fabricated. I said he (and others, including me) expressed concerns. Instead of answering, the NSA AD filed WG-creation forms as if discussion had settled. As for your "no industry or government participant" strawman: I'm talking specifically about NSA. That's an organization that internally asked whether cryptographic standards could be made "weak enough" for NSA to break, and that at last report had a cryptographic sabotage budget of a quarter billion dollars a year.
(DIR) Post #AlrWMwM4GQI9okakhU by eliotlear@mastodon.social
2024-09-10T06:28:25Z
0 likes, 0 repeats
@djb Of *course* it's fabricated because my point is that or something like that is what one would say to object to the charter. And as you should well know by now- you're not new at this- one AD doesn't make a decision on a charter, but rather it's the entire IESG. That's another protection against CoI. And even right now, you can comment to the entire IESG up until the 15th, after which it will be discussed on the 19th. Details at https://datatracker.ietf.org/doc/charter-ietf-sshm/ballot/.
(DIR) Post #AlrWMxEJ0lg2Wxy4Ey by djb@mastodon.cr.yp.to
2024-09-10T12:11:06Z
0 likes, 0 repeats
@eliotlear OK, looks like time for Recusal 101: Do you think that it's okay for U.S. Supreme Court justices with conflicts of interest to not recuse themselves since there's more than one judge on the court? And it's okay for lower-court judges with conflicts of interest to not recuse themselves since there's an appeals process? Do you understand what the purpose of recusal is?
(DIR) Post #AlrWMxyOFQXYptWs4W by eliotlear@mastodon.social
2024-09-10T12:53:51Z
0 likes, 0 repeats
@djb And again, the job can't get done if we require everyone to recuse on a large portion of decisions. It's simply not possible. Standards organizations are *riddled* with these sorts of conflicts. That's the world in which we live. What you can do is show where there is bad work. Deb's job is to see that the process was followed and only at the end to spot issues that have not been properly addressed.
(DIR) Post #AlrWMyTwM7mGPkI4FU by djb@mastodon.cr.yp.to
2024-09-10T13:27:29Z
0 likes, 0 repeats
@eliotlear There you go again with these ridiculous "everyone" exaggerations. The actual issue at hand is an IETF security-area directorship being given to an employee of NSA, an organization with a policy and track record of sabotaging security standards.
(DIR) Post #AlrWMyyQWmADwIYPlg by rsalz@ioc.exchange
2024-09-10T13:33:11Z
0 likes, 0 repeats
@djb @eliotlear Dan, do you have any specific instances where Deb did not act clearly transparently and in the best interests of the ietf? Not her employer. Her.
(DIR) Post #AlrWMzc899vHvR87ea by djb@mastodon.cr.yp.to
2024-09-10T13:51:25Z
0 likes, 0 repeats
@rsalz @eliotlear I gave an example earlier in the thread; but, again, the recusal obligation is triggered simply by the appearance of a conflict of interest. https://www.ietf.org/about/groups/iesg/iesg-coi-policy/ says "In cases where a clear conflict of interest exists, an Area Director should normally recuse". It doesn't say "Wait until the evidence of bad decisions is so overwhelming that you feel pressured to do what you would have done without this policy existing in the first place".