NSA Co-Chairs of Crypto Forum Research Group, Legitimacy of WebCrypto API in Doubt

odinn odinn.cyberguerrilla@riseup.net
Mon Oct 20 00:48:20 PDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

For those of you on this list who have been watching the progress of
things relating to the W3C coordinated process for the WebCrypto API,
you know that a lot of work and thought has gone into this and it is
an impressive collaboration.

But with the IETF CFRG (Crypto Forum Research Group) still being
co-chaired by an agent of the NSA (n1), anything that passes through
that organization must be questioned at this time.  (In the unlikely
event that the CFRG page is censored after this message is sent, I've
included the names and e-mail addresses of the current co-chairs as
part of this message as they currently appear on the CFRG's site,
where their names and e-mail addresses have been sitting in full
public view for a very long time (n2)).

As some of you already know, people within the Crypto Forum Research
Group have tried (so far unsuccessfully) since last year (n1, n2, n3)
to remove the NSA Co-chair.  It should not matter who the person is,
but the issue is that having anyone who is in the employ of or
affiliated with the NSA chair (or co-chair) a research group whose
purpose it is to advise all IETF Working Groups, is highly problematic
for reasons which now should be obvious to anyone reading this message.

Currently the WebCrypto API is approaching its last call ~ it's in a
process of being finalized.  For those who are not sure what the
WebCrypto API is, it's one of those things that is designed to
basically help make ordinary webpages that you see work, and includes
the definition of cryptographic primitives that make your internet go.
 That's a terrible description actually, but if you want a better or
more comprehensive description of WebCrypto API in plain English,
consider reading poulpita's blog (n4).  It's also described at a W3C
page as a "JavaScript API for performing basic cryptographic
operations in web applications, such as hashing, signature generation
and verification, and encryption and decryption. Additionally, it
describes an API for applications to generate and/or manage the keying
material necessary to perform these operations. Uses for this API
range from user or service authentication, document or code signing,
and the confidentiality and integrity of communications." (n5)

But the WebCrypto API Doc process and, and indeed the legitimacy of
the WebCrypto API itself, should be questioned and doubted, for the
WebCrypto group has recently held off on including the widely-used
curve25519 within NamedCurve dictionaries or as part of its
extensibility and errata process, until the (NSA co-chaired) Crypto
Forum Research Group gives W3C the go-ahead.   For further information
and confirmation on this, see (n6) below.

If you are concerned about this, check out the message thread
discussing attempts to remove the NSA co-chair (n3) and consider
posting to the CFRG list (n7) about it once you subscribe.

NSA affiliated persons need to be removed from groups that influence
the direction of the entire web. I hope those who receive this message
will organize to help make that happen.

(n1) https://irtf.org/cfrg
(n2) From CFRG's public webpage (n1) as of Oct. 20, 2014:  "CFRG is
chaired by Kevin Igoe (kmigoe@nsa.gov), Kenny Paterson
(kenny.paterson@rhul.ac.uk) and Alexey Melnikov
(alexey.melnikov@isode.com)."
(n3) http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
(n4) http://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/
(n5) https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
(n6) https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839 (see in
particular: comments 11, 12, 48, and 59 through 63 on that page)
(n7) https://irtf.org/mailman/listinfo/cfrg
- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJURL5EAAoJEGxwq/inSG8CN6QH+wZK+J15RtA4PART46BJRuPf
6ikb/gncf1oIVqVhII1MZyni9Tz+l9fZxkEiPN7bEAZg9zEkm/UrJhpQGa+Q1Lna
vNanGyLfnVGJjsA1AxXpBnBsxqm8uwbLQNtNhLdf/UnEk92aNFgvroxSWk62aGoh
3zpzwTMioe1OWyuWk2y3adx/0WTAP9YRuM3J6MKY+Qh+mJMZJmCsnal+Dw/gqjSn
Nd5oYght6H+9Af4bwSq3Eh816ojHg6rmzgAIIyWLyeFQiSPHrZVdFXa1bYUeM2gW
8a1udtaRLfVf69IevOvbIc2RM8Lh+uAKXFk65jfpvh2TbJ6U8PP9BUR799XGfEY=
=k9SP
-----END PGP SIGNATURE-----

More information about the cypherpunks mailing list