Opening Discussion: Speculation on "BULLRUN"...

Speaking as someone who followed the IPSEC IETF standards committee pretty closely, while leading a group that tried to implement it and make so usable that it would be used by default throughout the Internet, I noticed some things:

 

  *  NSA employees participted throughout, and occupied leadership roles

     in the committee and among the editors of the documents

 

  *  Every once in a while, someone not an NSA employee, but who had

     longstanding ties to NSA, would make a suggestion that reduced

     privacy or security, but which seemed to make sense when viewed

     by people who didn't know much about crypto.  For example, 

     using the same IV (initialization vector) throughout a session,

     rather than making a new one for each packet.  Or, retaining a

     way to for this encryption protocol to specify that no encryption

     is to be applied.

 

  *  The resulting standard was incredibly complicated -- so complex

     that every real cryptographer who tried to analyze it threw up

     their hands and said, "We can't even begin to evaluate its

     security unless you simplify it radically".