Time for IETF witch hunt? (was: NSA Co-Chairs of Crypto Forum Research Group, Legitimacy of WebCrypto API in Doubt)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is this a victory? Has anything been learned from the process? We know that regime changes are meaningless if the means of governance are not also reformed. In July of 2013 JFC Morfin registered an appeal [1] to the IAB (IETF governing body). He asked the IAB to consider how the concept of a protocol should account for social and ethical requirements. The IAB's response [2] was terse. It showed that these governing bodies lack the means and will to consider how the tools they develop effect people. We sit in a time where the architect of good citizenry is being increasingly dictated by undemocratic institutions. We are quickly trading space beholden to social contracts of the commons for those built by neo-liberal corporations. The ethics of "the protocol" is dictated by whichever company provides the most coffee and cake for the next workgroup meeting. I think the argument of "GeoIP as a threat to democracy" [3] provides an example rhetoric illustrating why concern for this is so important and why perhaps a witch hunt within the IETF is in order. 1. http://www.iab.org/wp-content/IAB-uploads/2013/07/appeal-morfin-2013-07-08.p... 2. https://www.ietf.org/mail-archive/web/ietf-announce/current/msg11697.html 3. https://cpunks.org/pipermail/cypherpunks/2014-July/005037.html On 23/10/2014 20:30, odinn wrote:
As a (hopefully final) note to this particular issue, please note the resolution at:
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839#c64
The NSA co-chair is resigning, and it appears the Working Groups are moving ahead without the involvement of that co-chair, for example:
(see comments 61 and 62 at)
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25618#c61
Cheers,
-Odinn
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUS4SzAAoJEHi6xtksL8/uwzcP/01mXaZiWgfcR6QEo7te2iC2 ECGnIHCXmHT4amxPDtjWGWJwPaY7ZY3k4c328gx/hOewS1a2BYU1LIpv9nJ2Hq/P B96QciRIJG4lIzaoYUE72RyvorEUOyB5VDzDTzx5McqAkW0STReJSTJKlg9G30He vJ7wrDBS3VB1G8kY32i39fEDPJMm4vlv+1n2R9FM6lSXyD/QCuTQQQzrqA1Z9XCD Y+8r6XNhN0+H5oMRyutQV9qJp6+BNXJLl3rQBi8JPtxtKxNCa3kbdt1bINjWy/2J fheKL6gUynX/EpL0epNnX1OgXWHd6SjnEjPZj08w142UQT7aEL5W1WHi/nbdKx1u uZIkEoAzJq0Gb/Bnumon0R3WA+xU2tqPF/BGr2kFCvws8PgQr6K5lZEmzLcu0AyV dGABC921MLA2scOqRSTmaYiVgVMrp8JAkjxwHe7TSJIh94M7e2GzbVnkkzeJhyEF pSpK6lkSJrq0lDlqN6njKB0P+myBEh3a0kPBoK93UfaFYD36elOBjvdIKN4mBMp1 1b2nC/0jrpjtfWe8gGwOhLXBeCDLunVJWLG47x4JhRy4YwTfBZicFs1rdoyOQBkd zoPTlOoBShYV87ERdPvWrRzdwa0fcFeJhXuFHL4OIc+nPRU1ged1TPnNkjfZW6Az E0ig0q8YefURxuz4BPBN =5/1u -----END PGP SIGNATURE-----
This governance is so centralized it makes me retch. Why do we need it? We don't! Consensus where it's not needed is detrimental anti-freedom fascist circlejerking. Standards should merely enable interoperability, thus create choice, and through that choice must come features, and the want for features will enforce those standards. Related: who's up for swapping layer 3 altogether?
On Sat, Oct 25, 2014 at 05:48:01PM +0200, Lodewijk andré de la porte wrote:
Standards should merely enable interoperability, thus create choice, and through that choice must come features, and the want for features will enforce those standards.
Related: who's up for swapping layer 3 altogether?
All I ask is that whatever comes out of it have an unambiguous BNF definition for its message format, without <prose-val> rules if at all possible. (See also: "enable interoperability".) Bonus points for defining the protocol itself as a finite state machine. WebCrypto is a shitshow in large part because the people at its wheel perceive a need for JavaScript programmers to make decisions about what cipher mode to use. They're dead-set on forcing developrs who write Javascript because C is hard to make low-level decisions that affect the reliability of their code in profound and non-obvious ways, and refuse to understand that this approach never ends well. Cheers, --mlp
"Meredith L. Patterson"
WebCrypto is a shitshow in large part because the people at its wheel perceive a need for JavaScript programmers to make decisions about what cipher mode to use. They're dead-set on forcing developrs who write Javascript because C is hard to make low-level decisions that affect the reliability of their code in profound and non-obvious ways, and refuse to understand that this approach never ends well.
+1. (But then not allowing people to make their preferred crypto fashion statement would also be removing their freedom to shoot themselves in the foot with a machine-gun. In any case as a security researcher I don't know what you're complaining about, you're getting a guaranteed lifetime supply of material for future presentations at Defcon/Black Hat/etc). Peter.
It's fairly straightforward to uncover someone's financial and public ties to various organizations by looking through public records. But mentioning this possibility among peers is a bit of a conversation killer. No one wants to risk invading the privacy of someone who doesn't deserve it (which is virtually everyone with NIST or IETF). Incidentally, when I mentioned this to a researcher who grew up in a horribly oppressive society, his response was "Why would you not do this kind of research?" So then I was in the awkward position of explaining that A) most people care about their careers, B) people don't want to invade others' privacy, C) the risk of false-positives is non-zero. Do I think that people with suspicious financial ties should be outed? Sure. But no one wants to do that. No one wants to be the messenger. TL;DR: people love handrwringing, hate even mild risk. best, Griffin ps: nah, I don't think that the legitimacy of the WebCrypto API is in doubt Nicolas Bourbaki wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Is this a victory? Has anything been learned from the process? We know that regime changes are meaningless if the means of governance are not also reformed.
In July of 2013 JFC Morfin registered an appeal [1] to the IAB (IETF governing body). He asked the IAB to consider how the concept of a protocol should account for social and ethical requirements. The IAB's response [2] was terse. It showed that these governing bodies lack the means and will to consider how the tools they develop effect people.
We sit in a time where the architect of good citizenry is being increasingly dictated by undemocratic institutions. We are quickly trading space beholden to social contracts of the commons for those built by neo-liberal corporations. The ethics of "the protocol" is dictated by whichever company provides the most coffee and cake for the next workgroup meeting. I think the argument of "GeoIP as a threat to democracy" [3] provides an example rhetoric illustrating why concern for this is so important and why perhaps a witch hunt within the IETF is in order.
1. http://www.iab.org/wp-content/IAB-uploads/2013/07/appeal-morfin-2013-07-08.p... 2. https://www.ietf.org/mail-archive/web/ietf-announce/current/msg11697.html 3. https://cpunks.org/pipermail/cypherpunks/2014-July/005037.html
On 23/10/2014 20:30, odinn wrote:
As a (hopefully final) note to this particular issue, please note the resolution at:
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839#c64
The NSA co-chair is resigning, and it appears the Working Groups are moving ahead without the involvement of that co-chair, for example:
(see comments 61 and 62 at)
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25618#c61
Cheers,
-Odinn
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJUS4SzAAoJEHi6xtksL8/uwzcP/01mXaZiWgfcR6QEo7te2iC2 ECGnIHCXmHT4amxPDtjWGWJwPaY7ZY3k4c328gx/hOewS1a2BYU1LIpv9nJ2Hq/P B96QciRIJG4lIzaoYUE72RyvorEUOyB5VDzDTzx5McqAkW0STReJSTJKlg9G30He vJ7wrDBS3VB1G8kY32i39fEDPJMm4vlv+1n2R9FM6lSXyD/QCuTQQQzrqA1Z9XCD Y+8r6XNhN0+H5oMRyutQV9qJp6+BNXJLl3rQBi8JPtxtKxNCa3kbdt1bINjWy/2J fheKL6gUynX/EpL0epNnX1OgXWHd6SjnEjPZj08w142UQT7aEL5W1WHi/nbdKx1u uZIkEoAzJq0Gb/Bnumon0R3WA+xU2tqPF/BGr2kFCvws8PgQr6K5lZEmzLcu0AyV dGABC921MLA2scOqRSTmaYiVgVMrp8JAkjxwHe7TSJIh94M7e2GzbVnkkzeJhyEF pSpK6lkSJrq0lDlqN6njKB0P+myBEh3a0kPBoK93UfaFYD36elOBjvdIKN4mBMp1 1b2nC/0jrpjtfWe8gGwOhLXBeCDLunVJWLG47x4JhRy4YwTfBZicFs1rdoyOQBkd zoPTlOoBShYV87ERdPvWrRzdwa0fcFeJhXuFHL4OIc+nPRU1ged1TPnNkjfZW6Az E0ig0q8YefURxuz4BPBN =5/1u -----END PGP SIGNATURE-----
-- "I believe that usability is a security concern; systems that do not pay close attention to the human interaction factors involved risk failing to provide security by failing to attract users." ~Len Sassaman
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hopefully this can be thought of not as a witch hunt, but as an encouragement for people to both participate more in lists where crypto is discussed as well as keep an eye out for these very issues of NSA influence (as well as influence from various corporation-state actors regardless of their geographical place of origin) on an ongoing basis. Nicolas Bourbaki wrote:
Is this a victory? Has anything been learned from the process? We know that regime changes are meaningless if the means of governance are not also reformed.
In July of 2013 JFC Morfin registered an appeal [1] to the IAB (IETF governing body). He asked the IAB to consider how the concept of a protocol should account for social and ethical requirements. The IAB's response [2] was terse. It showed that these governing bodies lack the means and will to consider how the tools they develop effect people.
We sit in a time where the architect of good citizenry is being increasingly dictated by undemocratic institutions. We are quickly trading space beholden to social contracts of the commons for those built by neo-liberal corporations. The ethics of "the protocol" is dictated by whichever company provides the most coffee and cake for the next workgroup meeting. I think the argument of "GeoIP as a threat to democracy" [3] provides an example rhetoric illustrating why concern for this is so important and why perhaps a witch hunt within the IETF is in order.
1. http://www.iab.org/wp-content/IAB-uploads/2013/07/appeal-morfin-2013-07-08.p...
2. https://www.ietf.org/mail-archive/web/ietf-announce/current/msg11697.html
3.
https://cpunks.org/pipermail/cypherpunks/2014-July/005037.html
On 23/10/2014 20:30, odinn wrote:
As a (hopefully final) note to this particular issue, please note the resolution at:
The NSA co-chair is resigning, and it appears the Working Groups are moving ahead without the involvement of that co-chair, for example:
(see comments 61 and 62 at)
Cheers,
-Odinn
- -- http://abis.io ~ "a protocol concept to enable decentralization and expansion of a giving economy, and a new social good" https://keybase.io/odinn -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJUS/ryAAoJEGxwq/inSG8CwiUH/ik52nAumHXkOvfgIeh5ukmt OZkMfxdDOWTRB2K8iJyLGiQCeJFK6xxg1Uxa0q3waxD26BiWLgC71waqyY3j4XDx 2jMV0ZLKNE8+csLrIwzOEPL0z4yfc7boltCQOWIkBrYzcmQ39Xmx4UPYkQmCK7tl BIjoTjcNf1EuouyUazE7FXU3fvDseujOwK5V/c/A7vhqwdzC6YgcWD1GavEZXjgG zBH5MTqVEZeNN0nM15p5M1+wSLVcqY0TjlI93dhxQ8RDQwu0yUpWZsgkszOuZ/9c j3VFwqDz6N8Bpwio57NBDSVFpHSZojvq+VxomPHVJE+Q2jjKB9GGdAbuYhpcmAo= =tHEj -----END PGP SIGNATURE-----
* Nicolas Bourbaki:
In July of 2013 JFC Morfin registered an appeal [1] to the IAB (IETF governing body). He asked the IAB to consider how the concept of a protocol should account for social and ethical requirements.
What does this even mean? Capabilities to protect local community standards (the “social” part), and cryptography that cannot be misused to harm the Internet (the “ethical” part)? In short, filters and backdoors?
participants (7)
-
Florian Weimer -
Griffin Boyce -
Lodewijk andré de la porte -
Meredith L. Patterson -
Nicolas Bourbaki -
odinn -
Peter Gutmann