NSA Co-Chairs of Crypto Forum Research Group, Legitimacy of WebCrypto API in Doubt
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 For those of you on this list who have been watching the progress of things relating to the W3C coordinated process for the WebCrypto API, you know that a lot of work and thought has gone into this and it is an impressive collaboration. But with the IETF CFRG (Crypto Forum Research Group) still being co-chaired by an agent of the NSA (n1), anything that passes through that organization must be questioned at this time. (In the unlikely event that the CFRG page is censored after this message is sent, I've included the names and e-mail addresses of the current co-chairs as part of this message as they currently appear on the CFRG's site, where their names and e-mail addresses have been sitting in full public view for a very long time (n2)). As some of you already know, people within the Crypto Forum Research Group have tried (so far unsuccessfully) since last year (n1, n2, n3) to remove the NSA Co-chair. It should not matter who the person is, but the issue is that having anyone who is in the employ of or affiliated with the NSA chair (or co-chair) a research group whose purpose it is to advise all IETF Working Groups, is highly problematic for reasons which now should be obvious to anyone reading this message. Currently the WebCrypto API is approaching its last call ~ it's in a process of being finalized. For those who are not sure what the WebCrypto API is, it's one of those things that is designed to basically help make ordinary webpages that you see work, and includes the definition of cryptographic primitives that make your internet go. That's a terrible description actually, but if you want a better or more comprehensive description of WebCrypto API in plain English, consider reading poulpita's blog (n4). It's also described at a W3C page as a "JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications." (n5) But the WebCrypto API Doc process and, and indeed the legitimacy of the WebCrypto API itself, should be questioned and doubted, for the WebCrypto group has recently held off on including the widely-used curve25519 within NamedCurve dictionaries or as part of its extensibility and errata process, until the (NSA co-chaired) Crypto Forum Research Group gives W3C the go-ahead. For further information and confirmation on this, see (n6) below. If you are concerned about this, check out the message thread discussing attempts to remove the NSA co-chair (n3) and consider posting to the CFRG list (n7) about it once you subscribe. NSA affiliated persons need to be removed from groups that influence the direction of the entire web. I hope those who receive this message will organize to help make that happen. (n1) https://irtf.org/cfrg (n2) From CFRG's public webpage (n1) as of Oct. 20, 2014: "CFRG is chaired by Kevin Igoe (kmigoe@nsa.gov), Kenny Paterson (kenny.paterson@rhul.ac.uk) and Alexey Melnikov (alexey.melnikov@isode.com)." (n3) http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html (n4) http://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/ (n5) https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html (n6) https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839 (see in particular: comments 11, 12, 48, and 59 through 63 on that page) (n7) https://irtf.org/mailman/listinfo/cfrg - -- http://abis.io ~ "a protocol concept to enable decentralization and expansion of a giving economy, and a new social good" https://keybase.io/odinn -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJURL5EAAoJEGxwq/inSG8CN6QH+wZK+J15RtA4PART46BJRuPf 6ikb/gncf1oIVqVhII1MZyni9Tz+l9fZxkEiPN7bEAZg9zEkm/UrJhpQGa+Q1Lna vNanGyLfnVGJjsA1AxXpBnBsxqm8uwbLQNtNhLdf/UnEk92aNFgvroxSWk62aGoh 3zpzwTMioe1OWyuWk2y3adx/0WTAP9YRuM3J6MKY+Qh+mJMZJmCsnal+Dw/gqjSn Nd5oYght6H+9Af4bwSq3Eh816ojHg6rmzgAIIyWLyeFQiSPHrZVdFXa1bYUeM2gW 8a1udtaRLfVf69IevOvbIc2RM8Lh+uAKXFk65jfpvh2TbJ6U8PP9BUR799XGfEY= =k9SP -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 As a (hopefully final) note to this particular issue, please note the resolution at: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839#c64 The NSA co-chair is resigning, and it appears the Working Groups are moving ahead without the involvement of that co-chair, for example: (see comments 61 and 62 at) https://www.w3.org/Bugs/Public/show_bug.cgi?id=25618#c61 Cheers, - -Odinn odinn wrote:
For those of you on this list who have been watching the progress of things relating to the W3C coordinated process for the WebCrypto API, you know that a lot of work and thought has gone into this and it is an impressive collaboration.
But with the IETF CFRG (Crypto Forum Research Group) still being co-chaired by an agent of the NSA (n1), anything that passes through that organization must be questioned at this time. (In the unlikely event that the CFRG page is censored after this message is sent, I've included the names and e-mail addresses of the current co-chairs as part of this message as they currently appear on the CFRG's site, where their names and e-mail addresses have been sitting in full public view for a very long time (n2)).
As some of you already know, people within the Crypto Forum Research Group have tried (so far unsuccessfully) since last year (n1, n2, n3) to remove the NSA Co-chair. It should not matter who the person is, but the issue is that having anyone who is in the employ of or affiliated with the NSA chair (or co-chair) a research group whose purpose it is to advise all IETF Working Groups, is highly problematic for reasons which now should be obvious to anyone reading this message.
Currently the WebCrypto API is approaching its last call ~ it's in a process of being finalized. For those who are not sure what the WebCrypto API is, it's one of those things that is designed to basically help make ordinary webpages that you see work, and includes the definition of cryptographic primitives that make your internet go. That's a terrible description actually, but if you want a better or more comprehensive description of WebCrypto API in plain English, consider reading poulpita's blog (n4). It's also described at a W3C page as a "JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications." (n5)
But the WebCrypto API Doc process and, and indeed the legitimacy of the WebCrypto API itself, should be questioned and doubted, for the WebCrypto group has recently held off on including the widely-used curve25519 within NamedCurve dictionaries or as part of its extensibility and errata process, until the (NSA co-chaired) Crypto Forum Research Group gives W3C the go-ahead. For further information and confirmation on this, see (n6) below.
If you are concerned about this, check out the message thread discussing attempts to remove the NSA co-chair (n3) and consider posting to the CFRG list (n7) about it once you subscribe.
NSA affiliated persons need to be removed from groups that influence the direction of the entire web. I hope those who receive this message will organize to help make that happen.
(n1) https://irtf.org/cfrg (n2) From CFRG's public webpage (n1) as of Oct. 20, 2014: "CFRG is chaired by Kevin Igoe (kmigoe@nsa.gov), Kenny Paterson (kenny.paterson@rhul.ac.uk) and Alexey Melnikov (alexey.melnikov@isode.com)." (n3) http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html (n4) http://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/ (n5) https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
(n6) https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839 (see in
particular: comments 11, 12, 48, and 59 through 63 on that page) (n7) https://irtf.org/mailman/listinfo/cfrg
- -- http://abis.io ~ "a protocol concept to enable decentralization and expansion of a giving economy, and a new social good" https://keybase.io/odinn -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJUSUlfAAoJEGxwq/inSG8CXBoH/jKUuteQ7/C74ujLvBwDU7E4 1tzrpkob/3QU1YnGkL8if1hzqdOBbSeqqfE6WNxEspFsUy0qqcrAynX7LyhxAA/4 aUZtmHOXEz3uYK3aWSAsA8FFSBYbRnnjEykINwFmnvG9owVWCohVyIzkmIkt4Ur4 0d8oHmRc+2GwW4qZUArm+N0UzedhVIRhoSG9llI61bnAQOq8+IF89B6Gq7pMgWZ1 vZO4F2iLqzyi6FxCUbI6GnSfGojIqyKTJPRz1Y686aini43if1a5+sakoBY1ss0Z BgrLHItCO+f7088kJqNSr7jPB0BQGAUB0fBsnMlhUzDzhHIGotNP3/0ssv+qo9M= =6FWE -----END PGP SIGNATURE-----
participants (1)
-
odinn