Skip to main content

Appeal regarding threat on the TLS Mailing List (D. J. Bernstein) - 2024-12-15
Response to the Appeal regarding threat on the TLS Mailing List - 2025-01-09

Appeal Text
Appellant: Daniel J. Bernstein
Appeal to: Internet Engineering Steering Group (IESG)

Note: The Security Area Directors (ADs) did not take part in the processing of this appeal by the IESG.

Response

The IESG has reviewed the appeal of the TLS working group (WG) chairs’ decision to provide the appelant a public warning under the terms of RFC3934 which is part of BCP25.

The appellant states that “this complaint is an appeal under RFC 2026 Section 6.5.4 of a process failure under RFC 2026 Section 6.5.2” .The IESG notes that Section 6.5.2 governs “action taken by the IESG”. Sending a warning under BCP25 was within the purview of the TLS WG chairs, who are not part of the IESG. Thus, the IESG interprets this request instead to be an appeal under Section 6.5.1 of RFC2026, which governs working groups. The IESG confirms that the appeal was timely according to the terms of Section 6.5.4 RFC2026.

Based on the IESG’s review of the record and of the established appeals processes, the IESG is denying the appeal. It recommends that the appellant raise the matter with the responsible Area Director (AD) of the TLS WG. This approach is consistent with the appeals chain defined in Section 6.5.1 of RFC2026, where WG disputes are first escalated to the responsible AD before they come to the IESG.

The IESG acknowledges that the appeal text asserts a perceived conflict of interest (COI). The IESG presumes that this was the rationale appealing directly to the IESG, bypassing the responsible AD, contrary to the documented process. However, the IESG found no credible evidence of such conflicts.

Subsequent sections provide additional explanation to some points raised in the text of the appeal.

Lastly, the IESG notes that this appeal includes references in its background material to matters that appear to be entirely personal and irrelevant. The IESG considers the inclusion of such references to be, at best, inappropriate.

Discussion on Skipping of the Security Area Directors in the Appeal Chain

Responsible Area Director

Paul Wouters is the responsible AD for the TLS WG. The appeal chain for WG matters flows through him, per Section 6.5.1 of RFC2026.

The IESG reviewed the provided justification and found no credible basis for an actual or perceived COI that relates to this topic. As such, the IESG sees no basis for a direct appeal to the IESG that skips the responsible AD.

Non-Responsible Area Director

The appellant raised a COI concern about the other Security Area Director, Deb Cooley, by virtue of her prior employment at the US National Security Agency. Per Section 6.5.1 of RFC2026, the IESG notes that Cooley is not in the appeal chain for the TLS WG decisions since she is not the responsible AD.

Furthermore, the appellant raised the same COI concern on a different matter to the IESG in September 2024 and was answered by the IESG. To repeat the unchanged assessment:

As we understand your argument, you believe there is an obligation for recusal due to an inherent perception of conflict of interest for Deb for most matters related to cryptography in the IETF by virtue of her employment history with the US National Security Agency.

The IESG assesses that this question has already been answered in the negative by the 2023 NomCom [3] and the IAB’s confirmation of the NomCom’s choice.  Making technical judgements and facilitating processes around the use of cryptography in the IETF, and upholding community consensus policies set in BCPs (e.g., BCP188 “Pervasive Monitoring is an Attack”) are core responsibilities of a Security Area Director.  With full knowledge of Deb’s employment and the core responsibilities for a SEC AD, and assessing the community feedback on the candidates, the 2023 NomCom chose Deb as the Security Area Director. 

 

We consider this matter of COI closed based on the community process to select leadership. Further details on the NomCom can be found in BCP10.