NSA Co-Chairs of Crypto Forum Research Group, Legitimacy of WebCrypto API in Doubt
odinn
odinn.cyberguerrilla at riseup.net
Thu Oct 23 11:30:55 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
As a (hopefully final) note to this particular issue, please note the
resolution at:
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839#c64
The NSA co-chair is resigning, and it appears the Working Groups are
moving ahead without the involvement of that co-chair, for example:
(see comments 61 and 62 at)
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25618#c61
Cheers,
- -Odinn
odinn wrote:
> For those of you on this list who have been watching the progress
> of things relating to the W3C coordinated process for the WebCrypto
> API, you know that a lot of work and thought has gone into this and
> it is an impressive collaboration.
>
> But with the IETF CFRG (Crypto Forum Research Group) still being
> co-chaired by an agent of the NSA (n1), anything that passes
> through that organization must be questioned at this time. (In the
> unlikely event that the CFRG page is censored after this message is
> sent, I've included the names and e-mail addresses of the current
> co-chairs as part of this message as they currently appear on the
> CFRG's site, where their names and e-mail addresses have been
> sitting in full public view for a very long time (n2)).
>
> As some of you already know, people within the Crypto Forum
> Research Group have tried (so far unsuccessfully) since last year
> (n1, n2, n3) to remove the NSA Co-chair. It should not matter who
> the person is, but the issue is that having anyone who is in the
> employ of or affiliated with the NSA chair (or co-chair) a research
> group whose purpose it is to advise all IETF Working Groups, is
> highly problematic for reasons which now should be obvious to
> anyone reading this message.
>
> Currently the WebCrypto API is approaching its last call ~ it's in
> a process of being finalized. For those who are not sure what the
> WebCrypto API is, it's one of those things that is designed to
> basically help make ordinary webpages that you see work, and
> includes the definition of cryptographic primitives that make your
> internet go. That's a terrible description actually, but if you
> want a better or more comprehensive description of WebCrypto API in
> plain English, consider reading poulpita's blog (n4). It's also
> described at a W3C page as a "JavaScript API for performing basic
> cryptographic operations in web applications, such as hashing,
> signature generation and verification, and encryption and
> decryption. Additionally, it describes an API for applications to
> generate and/or manage the keying material necessary to perform
> these operations. Uses for this API range from user or service
> authentication, document or code signing, and the confidentiality
> and integrity of communications." (n5)
>
> But the WebCrypto API Doc process and, and indeed the legitimacy
> of the WebCrypto API itself, should be questioned and doubted, for
> the WebCrypto group has recently held off on including the
> widely-used curve25519 within NamedCurve dictionaries or as part of
> its extensibility and errata process, until the (NSA co-chaired)
> Crypto Forum Research Group gives W3C the go-ahead. For further
> information and confirmation on this, see (n6) below.
>
> If you are concerned about this, check out the message thread
> discussing attempts to remove the NSA co-chair (n3) and consider
> posting to the CFRG list (n7) about it once you subscribe.
>
> NSA affiliated persons need to be removed from groups that
> influence the direction of the entire web. I hope those who receive
> this message will organize to help make that happen.
>
> (n1) https://irtf.org/cfrg (n2) From CFRG's public webpage (n1) as
> of Oct. 20, 2014: "CFRG is chaired by Kevin Igoe (kmigoe at nsa.gov),
> Kenny Paterson (kenny.paterson at rhul.ac.uk) and Alexey Melnikov
> (alexey.melnikov at isode.com)." (n3)
> http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
> (n4) http://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/ (n5)
> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
>
>
(n6) https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839 (see in
> particular: comments 11, 12, 48, and 59 through 63 on that page)
> (n7) https://irtf.org/mailman/listinfo/cfrg
>
- --
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJUSUlfAAoJEGxwq/inSG8CXBoH/jKUuteQ7/C74ujLvBwDU7E4
1tzrpkob/3QU1YnGkL8if1hzqdOBbSeqqfE6WNxEspFsUy0qqcrAynX7LyhxAA/4
aUZtmHOXEz3uYK3aWSAsA8FFSBYbRnnjEykINwFmnvG9owVWCohVyIzkmIkt4Ur4
0d8oHmRc+2GwW4qZUArm+N0UzedhVIRhoSG9llI61bnAQOq8+IF89B6Gq7pMgWZ1
vZO4F2iLqzyi6FxCUbI6GnSfGojIqyKTJPRz1Y686aini43if1a5+sakoBY1ss0Z
BgrLHItCO+f7088kJqNSr7jPB0BQGAUB0fBsnMlhUzDzhHIGotNP3/0ssv+qo9M=
=6FWE
-----END PGP SIGNATURE-----
More information about the cypherpunks
mailing list