Last Updated 10/7/2007
Tim Polk is a present member of the IESG. Polk is employed by NIST (National Institute of Standards and Technology, a part of the United States Department of Commerce) and works as supervisor in the Security Technology Division. Polk has a number of professional publications.
According to a 1999 Bio from the "2nd CACR Information Security Workshop":
Tim Polk joined the National Institute of Standards and Technology in 1982. After exploring computer networks and developing electronic publishing standards, he joined the computer security division in 1989. Initially, he performed research in integrity models, security tools for system administrators, and computer viruses. Since 1995, he has focused exclusively on public-key infrastructure issues. He has co-edited several IETF PKI standards, including the IETF PKIX certificate profile (RFC 2459), and co-authored NIST Special Publication 800-15, Minimum Interoperability Specification for PKI Components (MISPC).
See discussion of the Russ Housley draft-housley-tls-authz-extns Scandal for background information. Russ Housley and Mark Brown commit actionable fraud on the ISOC IETF activtity in an effort to standardize a patented protocol without revealing the patent to the IETF. They succeed, but when the patent application is discovered, the standardization approval is removed. A second Last-Call is held, in which a rough consensus against the document emerges. Polk then takes over to continue efforts to obtain approval for the document via methods that don't require consensus. However, the U.S. Government (IANA) assigned protocol extension codes require a consensus.
Polk has taken over the unsavory drive to obtain IESG approval for the draft even though there is a rough consensus against publication. This action benefits his close personal and business partner, Russ Housley and is a hard and improvident bargain for the ISOC IETF Activity and its members. This is a serious ethical misconduct. Polk is a U.S. Government employee, performing this work under the employment of the U.S. Government.
If anyone knows of any further links between Polk, Housley, Brown, Vigilsec, RedPhone Security, or NIST, please let us know.
It was very curious that Polk should tell Anderson he is going to wait until the September 12th to make a decision, but instead acts on the 10th. Polk doesn't inform Anderson on either the 13th or the 18th that he has acted, and the 18th, implies he hasn't yet acted. If any knows any benefit to Polk, Housley, Brown, RedPhone Security or anyone else from changing the state of the document on the 10th, please let us know. For example, a board meeting that made a decision that depended on the state change being effected.
Russ Housley and Tim Polk co-wrote a book on Public Key Infrastructure (PKI) called "Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure", Wiley, (2001). According to one report, Polk and Housley 'labored mightily'
W. Timothy Polk, Lawrence E. Bassham, John P. Wack, Lisa J. Carnahan
"Anti-Virus Tools and Techniques for Computer Systems", Noyes (1995)
Russel Housley, Tim Polk, Warwick Ford, and David Solo. Internet Public Key
Infrastructure: X.509 Certificate and Certificate Revocation List (CRL) Profile,
RFC
3280, April 2002.
Tim Polk, Russel Housley, and Larry Bassham. Internet Public Key Infrastructure:
Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure
Certificate
and CRL Profile, RFC 3279, April 2002.
Polk reports that Housley is a close personal friend, and that their families get together socially:
There is one additional issue I would like to highlight in this
email. Russ Housley and I are good friends and our families get
together socially a couple of times each year. We have co-authored a
number of IETF documents during the past decade, as well as the book
" Planning For PKI". While this was not a factor in my consideration
of tls-authz, I would not want you to think I was hiding our friendship!
Housley and Polk are closely involved both personally, and in joint business ventures such as books.
Essentially, the duties of an agent/employee to the principal/employer are established in the cases of law which establishes the justice of this kind of human interaction. The cases are distilled into rules by the American Law Institute into rules along with an index to the cases establishing the rules. The American Law Instituted publishes these distillations under the series of "Restatement of <subject matter>", and updates these volumes periodically. These distilled rules are references for both Lawyers and Judges.
From the Law of Agency, Second: (emphasis added)
§ 390. Acting as Adverse Party with Principal's ConsentAn agent who, to the knowledge of the principal, acts on his own account
in a transaction in which he is employed has a duty to deal fairly with
the principal and to disclose to him all facts which the agent knows or
should know would reasonably affect the principal's judgment, unless the
principal has manifested that he knows such facts or that he does not
care to know them.§ 390 Comment a. Facts to be disclosed. One employed as agent violates
no duty to the principal by acting for his own benefit if he makes a
full disclosure of the facts to an acquiescent principal and takes no
unfair advantage of him. Before dealing with the principal on his own
account, however, an agent has a duty, not only to make no misstatements
of fact, but also to disclose to the principal all relevant facts fully
and completely. A fact is relevant if it is one which the agent should
realize would be likely to affect the judgment of the principal in
giving his consent to the agent to enter into the particular transaction
on the specified terms.§ 390 Comment c. Fairness. The agent must not take advantage of his
position to persuade the principal into making a hard or improvident
bargain.
We assume here that the ISOC/IESG/IETF Activity gave its consent for the adverse transaction.
The rule of law is plain; It appears that Tim Polk violated his duty to deal fairly with the ISOC IETF Activity.
Further, the Restatement of Agency, Second states: (emphasis added)
§ 394. Acting for One with Conflicting Interests
Unless otherwise agreed, an agent is subject to a duty not to act or to
agree to act during the period of his agency for persons whose interests
conflict with those of the principal in matters in which the agent is
employed.§ 394 Comment a. The rule stated in this section goes beyond that
stated in Section 391, which is limited to situations in which the agent
acts for an adverse party in a transaction to which the principal is a
party. Under the rule stated in this Section, the agent commits a breach
of duty to his principal by acting for another in an undertaking which
has a substantial tendency to cause him to disregard his duty to serve
his principal with only his principal's purposes in mind. [...]This is true although the agent does not agree to give his full time to
the principal-s business and does not use the time paid for by the
principal in acting for another. The danger that he will not be
impartial and that he will use confidential information obtained in the
business of one in the affairs of the other makes it improper for him to
act for both.
The rule of law is plain; It appears that Tim Polk agreed to act, and indeed acted for persons whose interests conflict with those of the ISOC in an undertaking that has a substantial tendency to cause him to disregard his duty to serve his principle (the ISOC IESG) with only his principal's purposes in mind.
Add ISOC Conflict of Internet Policy violation
Identify NIST Conflict of Interest Policy