RFC 9680 coauthor writes:
> If, on the other hand, your concern is that there has been a failure
> of IETF processes that has created an antitrust risk, then the
> appropriate course of action is to follow the appropriate IETF process
> for addressing that.
RFC 9680 says that it's "generally inappropriate" to discuss "market
opportunities for specific companies". What's the IETF process for
addressing violations of RFC 9680?
As part of messages to tls@ietf.org advocating IETF action, a Cisco
employee claimed market opportunities for Cisco: "There are people whose
cryptographic expertise I cannot doubt who say that pure ML-KEM is the
right trade-off for them, and more importantly for my employer, thatâs
what they're willing to buy." The message was from a Cisco address and
also went out of its way to specifically name Cisco in the text.
I find it perfectly clear how antitrust litigation can address this. I
don't find it clear that there are effective IETF procedures to address
this. I sent email requesting IETF LLC attention to this Cisco incident;
the response didn't acknowledge the incident and didn't suggest specific
followup procedures beyond this vague "appropriate IETF process" note.
Hence my question above.
> If your concern is that the IETF processes contain an overlooked
> antitrust risk
That's certainly an issue too. One of my messages quoted, e.g.,
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52011XC0114(04)
asking whether there are "objective criteria for selecting the
technology to be included in the standard". My message continued by
asking where IETF's objective criteria are for deciding what to select,
and where the documentation is that demonstrates systematic enforcement
of those criteria.
RFC 9680 quotes BCP 9 text claiming that BCP 9 is designed to "provide a
fair, open, and objective basis for developing, evaluating, and adopting
Internet Standards". However, BCP 9 later contradicts this: first it
waters the claim down to just "reasonably" objective, and then it admits
that "there is no algorithmic guarantee". Furthermore, anyone trying to
find a statement of criteria in BCP 9 finds
* broad non-objective criteria (e.g., "considered to be useful"),
* no explanation of how different criteria are weighted, and
* open-ended flexibility for the decision-makers (e.g., "IESG may").
The specific situation at hand illustrates the problem. How does anyone
figure out whether Cisco's claim of market opportunities is relevant to
the BCP 9 criteria? This isn't an isolated incident---we've seen such
claims being raised again and again as arguments to override BCP 188
concerns, other security concerns, and other technical concerns.
---D. J. Bernstein
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
