Hi, Phill raised the US$250M/year issue. [1] That is something we might prefer to ignore, but perhaps its better to address it briefly, and then move on if we can.
In fact, I don't think its impact is that significant, except in so far as it has damaged the reputation of some, and there is real reputational damage to institutions and even, very unfairly, maybe to some individuals. FWIW, my take on this is the following: 1. The only convincingly known case so far is dual-ec-dbrg. There are no others that I'm aware of, and none directly involving the IETF. There was some discussion of IPsec but Jeff Schiller convincingly countered that, and Jeff's account matches my recollection (not that I was really involved in that at the time). The "NIST Curve" topic is I think different and is being actively discussed on the TLS list. (The difference is that the NIST curve debate is a result of, and not a cause of, reputational damage.) 2. It seems unlikely to me, and others who've mailed me offlist, that anyone was being directly paid as part of this solely to deliberately bugger up IETF processes or output by participating in IETF activities. I can't imagine that funders with such motives would be that unsubtle and direct - they'd find someone who genuinely thinks that e.g. more complexity is needed for "foo" and fund them or even better they'd fund someone who has real requirements that suit the funder's needs - same as every funder. 3. Other than the scale, such activities are not that different from when vendor X plays a game against vendor Y proposals or technologies while at the same time both vendors contribute fairly in other areas. Our defence is the same: transparency, running our processes, broad participation and thorough technical review. 4. I'd have to imagine that most of that US$250M is spent outside of standards work, e.g. to pay vendors or service providers to do stuff that works for the funder, whether duplicitously or not. 5. I feel real sympathy for individual IETF participants sponsored by USG organisations - all of those folks I know have afaik been totally honest and above-board contributors. (Doesn't mean I agree with 'em of course:-) But I can't see but that there is real damage to trust there maybe mostly for IETF participants who don't personally know the people involved. That's a shame but I don't this folks funded by USG ought be silent - that'd make the overall situation worse same as any self-censorship. 6. There's really not much point in saying more on this. Its a PITA, but absent a smoking-gun like dual-ec-dbrg, speculating on this is going to be counterproductive. Sure, we should review our stuff and see what needs changing/improvement but doing so on the basis of who paid whom is both very hard to do accurately and probably pointless. (As an aside - if you're reading this and have written some RFCs - have you looked over what you did to check how it might need changing?) 7. We should all definitely avoid any finger pointing at individuals both in fairness and for all the usual other reasons why we don't defame people on mailing lists. As list moderator, I'll slap down as hard as I can on any such mail, so please continue to not send anything like that. (And thanks for not doing it so far.) 8. If they insist on spending that money, they should just buy us loads of gigantic cookies for meetings. The discussion that'd ensue would kill productivity far more effectively:-) If the above summary covered this, then I'd hope we can move on and not need much or any more discussion on the topic, but do folks think I'm wrong or missing important aspects? If this is close-enough, then you don't need to respond. Regards, S. [1] http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
