On 1/22/14 11:40 AM, Phillip Hallam-Baker wrote:
I find it rather interesting that someone who takes great offense when
it is pointed out that he works under contract to the NSA goes after
people for having a 'hidden' agenda.
If you want to start questioning people's ulterior or bought motives
you are sawing off a mighty fine branch there and its the one you are
standing on.
Is the reason that you are arguing against Omnibroker so hard because
someone in Fort Meade is getting nervous? Maybe they should, they had
three people come to see my first public talk on PRISM-PROOF email. Or
is it impolite for me to ask such questions because you are the only
person allowed to call people's motives into question?
PHB,
I'm pretty sure communism didn't enter into my comments on your
proposals :-).
I also have no idea whether anyone at NSA has any interest in Omnibroker. To
the extent that it represents an opportunity for centralizing and
outsourcing
trust services, I can imagine some there might even find it attractive :-).
I have absolutely no desire to watch any YouTube videos you have produced.
I'd like to think that, during over 30 years of participation in
Internet standards, my agenda has never been hidden. Yes, I am a
government contractor. I have received funding from various parts of the
DoD (including DARPA, DCA, Army, Navy, etc.) the DHS, and
otherorganizations. In most cases, and for all of my recent funding
(say, over the past 20ish years) the work I do is the result of what I
have proposed to funding organizations, because I think it is useful for
improving Internet security. I don't tend to bid on BAAs or RFPs from
funding agencies; instead, I approach them, describe security problems I
think are important and where I think I can help, and ask for money to
do the work. Sometimes I get funds, sometimes not. But my agenda is
overt. Sometimes IETF participants have asked why I participate in the
IETF, since I am do not work for a product company or a service
provider, and I've explained, as above.
For example, my work on IPsec was motivated by years of experience with
layer 3 security technology. When I began working at BBN, in the later
70's, we had an ARPA (now DARPA) project to build the first packet
network encryption system, using a KDC. I worked on that project,
extending the architecture to accommodate multiple KDCs (for robustness)
and to enable establishing security associations across administrative
domains. The hardware we used (inline hardware crypto, built by another
government contractor) employed the first DES chips certified by NBS
(now NIST). BBN wrote the software, which worked with early versions of
TCP and IP. This work was completed, including performance testing,
several years before MIT initiated Project Athena, and developed Kerberos.
In the latter 80's and early 90's I was a participant in the SDNS
(Secure Data Network Systems) program (which was sponsored by NSA) to
develop network layer crypto systems for protecting DoD classified data.
That program developed SP3, a precursor to IPsec, and MSP, some aspects
of which appear in S/MIME. The MSP work leveraged my experience leading
work on PEM, the first e-mail Internet standard security protocol. (PEM
was initially developed initially in the Privacy and Security Research
Group, then in the PEM WG, both of which I chaired.) This showed that
DoD-sponsored work canbenefit from work performed in the "outside" world.
In the late 90's and through 2005, I contributed to, and eventually
became responsible for, the IPsec RFCs, bringing to that effort some of
the experience I gained in the SDNS program. (BTW, all of the SDNS
protocol specs were unclassified, because NSA wanted vendors to use them
in buildingsystems to protect unclassified, as well as classified,
data.) So, in this case, experience flowed from government work to the
public standards sector.
At one time NSA bought into what the big telecom providers were saying,
and created network layer crypto that worked only with ATM. This was
brought to my attention by a router vendor, who was hoping to sell
products to DoD clients, who could not use the routers because they were
not compatible with the latest, fastest crypto available for protecting
classified data. When I because aware of this I urged NSA to revisit
IP-based network crypto. They had been told that IP-based crypto systems
would be slow, compared to the ATM-based systems they were fielding. So,
some colleagues at BBN and I designed a 10Gb/s IP crypto device (that
used DoD algorithms approved to protect classified data), to demonstrate
that IP crypto could be fast. That effort (yes, we were paid!) led to a
significant program change, so that when ATM stopped being the "next big
thing" and fast IP routers were available, there were network layer
crypto devices that would work with them. The resulting products were
called HAIPEs (High Assurance IP Encryptors). I wasn't pleased with all
aspects of those products, but at least we avoided the ATM dead end J.
I chaired PKIX for about 18 years; part of the funding for my
participation came from the DoD. They were making a big investment in
PKI and were willing to help support work that advanced PKI standards.
They became a big user of OCSP (not my personal, favorite protocol, but
...) and thus benefitted from the existence of an IETF WG that offered a
forum for developing PKI standards. My co-chairs over this time included
folks from the PKI industry, NIST, and Microsoft.
Since the last 90's I have worked on architectures to improve
inter-domain routing security. This work was sponsored initially by
DARPA, and later received DHS funds, in part because the principal
sponsor moved from DARPA to DHS! My work in SIDR, on the RPKI and
BGPSEC, has been paid for by DHS and DoD, because they see the need for
better routing security. Nothing mysterious there.
Overall, I am pretty proud of the work I have done in the IETF, the 22
(soon to be 23) RFCs that I've published, my time on the IAB, chairing
the PSRG, PEM and PKIX WGs, serving on four Nomcoms, and my
contributions to other WGs. In all of the years that I have worked on
Internet standards the only RFC that recall writing in response to a
request from the DoD was my first, RFC 1108. That RFC (published in
1991) described the IPv4 basic and extended security options, as
implemented in a DoD network crypto system (BLACKER) of the 80's. I
don't think that work, or anything I have done since, makes me an agent
provocateur.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
