1997-10-13 - Re: IETF policy on refusing to allow politics to weaken protocols(Re: Why Adam Back keeps politicizing technical issues)

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: frantz@netcom.com
Message Hash: 28307617a29c90feeef8213d24a15b1d12b56e4a87b885c6e6b36fc38fe4184e
Message ID: <199710131140.MAA01044@server.test.net>
Reply To: <v03007802b067652cef84@[207.94.249.103]>
UTC Datetime: 1997-10-13 12:57:13 UTC
Raw Date: Mon, 13 Oct 1997 20:57:13 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Mon, 13 Oct 1997 20:57:13 +0800
To: frantz@netcom.com
Subject: Re: IETF policy on refusing to allow politics to weaken protocols(Re: Why Adam Back keeps politicizing technical issues)
In-Reply-To: <v03007802b067652cef84@[207.94.249.103]>
Message-ID: <199710131140.MAA01044@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




Bill Frantz <frantz@netcom.com> writes:
> At 2:41 AM -0700 10/11/97, Adam Back wrote:
> >
> >5. The IETF process should be accepting proposed designs and deciding
> >on the best ones, which PGP Inc, and the other suppliers would then go
> >and implement.  As it is now, as William Allen Simpson just pointed
> >out, PGP Inc is cruising ahead implementing, and deploying things
> >without bothering with the OpenPGP process.
> 
> Just a quick reality check here.  Frequently implementations have proceeded
> IETF standards.  That is one of the strengths of the IETF process (as
> compared with e.g the CCITT.)

I must admit some ignorance of the IETF processes due to my only
understandings being gained from intermittent following of the IPSEC
standardisation process, and in that respect I thank you for the data
point...

However, I would defend that my understanding is, and my point was
more that proposals with trial implementations should be used as
discussion points, and as competing draft proposals rather than being
used as arguments for it being necessary to build compatibility with
just because someone has rushed off and sold copies of them, prior to
ratification of those proposals by the standardisation process.  And
that independently of the technical merits of those proposals, or
arguably even in the face of evidence that there are more secure
alternatives to these proposals.

The IETF standardisation process is supposed to make decisions based
on technical merit.  Not based on marketing clout.  Nor even based on
reputation capital, something which PGP surely has in abundance, as
transferred to it by Phil Zimmermann with his virtual net.god status.

I also take exception to PGP's Will Price's attempt at silencing
negative discussion of the security and political aspects of PGP's
GAKware, in his rhetoric on this being an inappropriate forum for
discussion of political aspects of CMR.  If Will Price thinks that we
should just lie down and accept PGP fielding inferior security GAKware
systems, and accept PGP trying to impose them on the standard, he can
think again.  Crypto politics can't help but play some part in
discussion of crypto standards.  

As Tim May pointed out in an earlier post, we gave the same roasting
to companies participating in the Key Recovery Alliance Program, and
to companies like TIS, and IBM for various GAK sell out deals.  In
fact, Netscape got worse roastings for far lesser crimes than PGP's
crimes in attempting to architect GAKware into the OpenPGP standard,
or if that fails, in PGP's death wish in attempting to commit
reputational suicide by implementing and widely deploying GAKware.

My concern specifically is that some of the less desirable aspects of
the way that PGP have implemented CMR should not be adopted into the
standard for interoperability reasons alone.  I am worrying that PGP
Inc will shortly be using this line of reasoning, for backwards
compatibility with pgp5.5 functionality for similar reasons as one
might reasonably argue for backwards compatibility with pgp2.x.

I noticed that Ian Grigg (Systemics) also expressed this point about
standards process manipulation well in his article.

Systemics has a much better track record for open development, and
openness of design decisions than PGP Inc since it's incorporation, or
before that than the pgp3.0 development team of two in beetling
themselves off in a room at Sun or wherever and taking ages to develop
software.  (No offense intended to said developers technical ability,
which I respect immensely, the error was organisational.)

Systemics is also outside of the US and for that reason better placed
to compete internationally.  PGP Inc is losing reputation capital to
Systemics and other such small companies in eroding it's support from
netizens by fielding GAKware systems.

(I have no affiliation with Systemics).

Adam






Thread