10/20/2014
Odinn/cpunks.org:
For those of you on this list who have been watching the progress of things relating to the W3C coordinated process for the WebCrypto API, you know that a lot of work and thought has gone into this and it is
an impressive collaboration.
But with the IETF CFRG (Crypto Forum Research Group) still being co-chaired by an agent of the NSA (n1), anything that passes through that organization must be questioned at this time. (In the unlikely
event that the CFRG page is censored after this message is sent, I've included the names and e-mail addresses of the current co-chairs as part of this message as they currently appear on the CFRG's site, where their names and e-mail addresses have been sitting in full public view for a very long time (n2)).
As some of you already know, people within the Crypto Forum Research Group have tried (so far unsuccessfully) since last year (n1, n2, n3) to remove the NSA Co-chair. It should not matter who the person is, but the issue is that having anyone who is in the employ of or affiliated with the NSA chair (or co-chair) a research group whose purpose it is to advise all IETF Working Groups, is highly problematic for reasons which now should be obvious to anyone reading this message.
Currently the WebCrypto API is approaching its last call ~ it's in a process of being finalized. For those who are not sure what the WebCrypto API is, it's one of those things that is designed to basically help make ordinary webpages that you see work, and includes the definition of cryptographic primitives that make your internet go. That's a terrible description actually, but if you want a better or more comprehensive description of WebCrypto API in plain English, consider reading poulpita's blog (n4). It's also described at a W3C page as a "JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications." (n5)
But the WebCrypto API Doc process and, and indeed the legitimacy of the WebCrypto API itself, should be questioned and doubted, for the WebCrypto group has recently held off on including the widely-used curve25519 within NamedCurve dictionaries or as part of its extensibility and errata process, until the (NSA co-chaired) Crypto Forum Research Group gives W3C the go-ahead. For further information and confirmation on this, see (n6) below.
If you are concerned about this, check out the message thread discussing attempts to remove the NSA co-chair (n3) and consider posting to the CFRG list (n7) about it once you subscribe.
NSA affiliated persons need to be removed from groups that influence the direction of the entire web. I hope those who receive this message will organize to help make that happen.
(n1) https://irtf.org/cfrg
(n2) From CFRG's public webpage (n1) as of Oct. 20, 2014: "CFRG is chaired by Kevin Igoe (kmigoe at nsa.gov), Kenny Paterson (kenny.paterson at rhul.ac.uk) and Alexey Melnikov (alexey.melnikov at isode.com)."
(n3) http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
(n4) http://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/
(n5) https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
(n6) https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839 (see in particular: comments 11, 12, 48, and 59 through 63 on that page)
(n7) https://irtf.org/mailman/listinfo/cfrg
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Related Links:
Secret Documents Reveal NSA Campaign Against Encryption
Security Industry Pioneer RSA Paid $10 Million to Use Backdoored NSA Algorithm in Crypto Software
SENTRY EAGLE: NSA's "Core Secrets" Re: Covert Activities Inside Companies; Access Sensitive Data, Compromise Networks, Subvert Encryption
No comments:
Post a Comment
Make a Nice Comment .....