A National Security Agency employee will continue to co-chair an influential group that helps to develop cryptographic standards designed to protect Internet communications, despite calls that he should be removed.

Kevin Igoe, a senior cryptographer with the NSA's Commercial Solutions Center, is one of two co-chairs of the Crypto Forum Research Group (CFRG), which provides cryptographic guidance to working groups that develop widely used standards for the Internet Engineering Task Force (IETF). On Sunday, the chair of the group that oversees appointments to the CFRG rejected a recent call that Igoe be removed in light of recent revelations that the NSA has worked to deliberately weaken international encryption standards.

"Widespread wiretapping by nation-state adversaries is a threat unlike any other in the history of the Internet, but I do not believe that preventing interested people from participating in the IRTF or IETF based solely on their affiliation will help us combat that threat," Lars Eggert, chair of the Internet Research Task Force (IRTF), wrote in an e-mail. The IRTF focuses on long-term research and is responsible for the CFRG and eight other research groups. Meanwhile, the IETF is a parallel organization that focuses on shorter term engineering standards that are crucial for the Internet, such as the Transport Layer Security (TLS) protocol for Web encryption.

Eggert described IRTF co-chairs as "little more than group secretaries" who lack the ability to influence the technical advice the groups deliver to the IETF working groups. Besides arguing that the removal of Igoe might set a precedent to exclude all individuals affiliated with the NSA, Eggert said the proceedings of the CFRG and other IRTF research groups are transparent enough that attempts by the NSA to sabotage cryptographic standards wouldn't escape notice.

"Any participant suspecting misconduct can raise any issue either in the group or to the IRTF chair, as Trevor Perrin has done in this case," Eggert wrote. "This is how our process should work, and this is why any individual participant—co-chair or not—is unlikely to be able to subvert ongoing research group work."

Eggert's e-mail was in response to the December 20 call by crypto expert Trevor Perrin that Igoe be removed from the CFRG. In that earlier e-mail, Perrin criticized Igoe for recommending that the TLS working group fold a largely unproven password key-exchange system known as Dragonfly into the TLS protocol that's widely used to encrypt Web communications. In a response posted Monday, Perrin continued to press for Igoe's removal. Among other things, Perrin rejected Eggert's statement that co-chairs have no more influence over research groups than other members.

"Chairs are responsible for creating agendas, running meetings, deciding when and how to call for consensus, interpreting the consensus, and liaising with other parties," Perrin wrote in the response. "All this gives them a great deal of power in steering a group's work."

Perrin also challenged Eggert's claim that the IRTF's open process was an adequate safeguard against NSA subversion of crypto standards.

"I worry about soft forms of sabotage like making Internet crypto hard to implement securely and hard to deploy widely; of tipping groups towards dysfunction and ineffectiveness," he wrote. "Since these are common failure modes for IETF/IRTF crypto activities, I'm not convinced IETF/IRTF process would adequately detect this."

Anyone who has spent time watching how technical standards are adopted knows that the process is often messy, highly contentious, and filled with claims of favoritism to the wishes of special interests. Last year's leak of secret NSA documents showing how the agency has worked to weaken widely used crypto technologies casts those partisan squabbles in a new light—at least when the squabbles involve concerns about government sabotage. As Perrin put it in Monday's e-mail to Eggert:

You did not consider the cloud of distrust which will hang over an NSA-chaired CFRG and over the ideas it endorses. You also did not consider that as the premier Internet standards organization, the IETF/IRTF's actions here will make an unavoidable statement regarding the acceptability of such sabotage. We have the opportunity to send a message that sabotaging crypto standards is unacceptable and destroys public trust in those organizations in a way that has real consequences. Or we send a message that it's no big deal. This is a political consideration rather than a technical one, but it needs to be considered. We're sending a message either way.

Perrin went on to ask the Internet Architecture Board, which appoints the IRTF chair, to review Eggert's decision.