Stuff about me

Name: Stephen Farrell

Phone: gsm (preferred): +353-87-854-0597, office: +353-1-896-2354


Home Page:

Current Employment (Previous); Teaching; Activities; Publications; Talks

Picture of me - don't worry, you're not missing much!

Text last updated: 2014-11-21, if you don't like that photo: younger me


Working in IT security since 1986, I have accumulated a very broad range of engineering experience and expertise in many areas of computer security, primarily those involving the use of cryptography. Since 1995 I have been involved in a range of IT security standardization activities, which has given me the opportunity to work alongside some of the most well-known experts in the field. As well as authoring various standards documents, in the past I co-chaired an Internet engineering task force (IETF) security working group (sacred) and a world-wide web consortium (W3C) working group on XML key management (xkms), both of which groups concluded successfully - as they ought. I was also involved with some anti-spam work as co-chair of the IETF domain keys identified mail (dkim) working group and was an invited expert participating in the W3C web security context working group (wsc), which was basically a group of security and browser folks who were trying to improve on the current "padlock" security indicator in browsers.

My involvement in Internet standards has recently increased quite a bit since I took over in April 2011 as one of two IETF security area directors, and hence a member of the Internet Engineering Steering Group, which is the technical management committee of the IETF. That means I now need to read, and (sort-of) "vote" on all new IETF RFCs for the next couple of years (or until they chuck me out:-). In one week (2011-05-26 telechat), that meant reading and commenting on 623 pages of Internet-drafts, but that was a bad week - the average is 400 pages every two weeks. I'm also a member of the Internet research steering group (IRSG) which does a somewhat similar job for the far fewer documents produced by Internet research task force (IRTF) research groups.

Areas of security I've mostly worked on include Public Key Infrastructure (PKI), authorization and security for web services. In terms of my current approach to that kind of work, I would generally like to see better deployment of security technology, even if that appears to come at the expense of "purity." That represents a bit of a change from the approach we all had when we first started working on PKI.

Until I started doing more security again recently, I was really more interested in networking and, in particular, highly-challenged networks (e.g. networking in deep-space as envisaged by the group working on the InterPlaNet). That work is mainly done in the context of an IRTF group on delay tolerant networking (DTN) where I also help out as co-chair. In 2006, I co-authored what we believe is the first book about delay and disruption tolerant networking. But I don't just do DTN bureaucracy - I'm also quite involved in most of the security work being done in that context as well as in the definition of a long-haul delay tolerant protocol called LTP (RFC 5326) that was used (by NASA, not me) to talk to a spacecraft 25 million km away! In that context, what's most interesting to me is how DTN concepts (and maybe even concrete protocols) might form a part of the future Internet architecture, especially for its more challenged nodes (which I reckon will always exist).

In day-to-day terms, other than teaching a bit, I'm involved in an EU-funded supporting action called STREWS where we're trying to bridge between security researchers and those involved in W3C and IETF standardisation. STREWS sponsored and arranged (and I chaired) the 2014 Joint IAB/W3C workshop on Strengthening the Internet against Pervasive Monitoring (STRINT).

Pervasive Monitoring (PM) is something that as you can imagine has taken up a lot of my time in the last 18 months or so since we started getting a better picture of exactly how much some government actors are snooping on the Internet. That however has re-invigorated a lot of Internet security folks with the result that a lot of good progress has been made on Internet security in 2013 and 2014. I've been helping to lead some of that within the IETF where I was the main author for RFC 7258 titled "Pervasive Monitoring is an Attack" and which set the scene (well, I think it did:-) for a number of other security activities for example, the IAB statement saying encrypt it all, the DNS Privacy working group, the TCP increase security and drafts on opportunistic security and on confdientiality for MPLS. I think it's fair to say that the STRINT workshop and working to get IETF consensus on RFC 7258 were both significant enough contributions to all that happening. I've also been helping out (non-technical help only, sadly) a bunch of folks who're trying to develop an open-source hardware security module (HSM) in order to try provide better confidence in the implementation of cryptography - that's a fine project called Cryptech and you should help them out if you can with funds or work.

I've also recently started trying to figure out how we can better bridge between techies and some data protection agency folks - we had the IPEN workshop in Berlin in September, organised mainly by the European Data Protection Supervisor and a group of us are working to see how best to proceed from here. My main goals there would be that we try help policy folks to not make technical mistakes and educate technology folks about the issues policy folks face. And then we'll see what happens.

In terms of other older projects, the most fun one was an EU funded DTN project on reindeer tracking and communications services for the reindeer herders - that was called N4C (Networking for Communications Challenged Communities) and started in May 2008 for 3 years. We've published the full results of our N4C trials in the arctic, including all the code, logs etc. and there's an informal blog-like description of our 2010 trial here.

In August 2010, we started a related project on Information Centric Networking, (in our case based on DTN) - that's being done as part of a very large EU funded project (an "IP") call SAIL where TCD are working on the so-called Network of Information (NetInf, in our case a DTN-based ICN just to talk acronym-babble for a moment:-). SAIL was my main day-to-day project in TCD until about the end of 2012. We're also doing a little work on yet another EU funded project on medical informatics, in that case providing a security model and a content security API - that's the TRANSFoRm project, but our involvement is quite small there, at least in terms of effort.

Also in 2010, with a couple of partners, I also started up a campus company, Tolerant Networks Ltd. to do non-research DTN projects. As Tolerant Networks, we're worked with a UK company called SciSys as a subcontractor on a European Space Agency (ESA) funded study about the use of DTN protocols in space. And we subsequently carried out another DTN study for ESA on potential uses of DTN for (Earth orbiting) satellite. (MUDSAT)

Before all of those I worked on an Enterprise-Ireland funded (2005 technology development fund) project on sensor networking with delay tolerance (SeNDT - intended to sound like "scent"), focused mainly on piloting some DTN based technology we had developed for environmental monitoring, in particular, lake water quality monitoring, but using delay tolerant protocols.

I'm also on the editorial board of IEEE Internet Computing magazine. And I'm a Senior Technical Advisor to the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).

From July 2007 until April 2010 I was part-time chief technologist with NewBay software, an excellent company that provide user generated content management software and services for mobile network operators. That's a kind of Web 2.0 meets the bell heads gig, which was interesting, especially when the applications are offered to such large sets of users (in the millions).


Current Employment

Dates Organisation Position
May 2002-Date Trinity College Dublin
Research fellow, Part-time lecturer


I'm currently co-supervising (with Stefan Weber) a student (Elwyn Davies) who is getting along with the work of (hopefully) acquiring a PhD on DTN routing. Ask Elwyn if you want to know more.

I teach a course introducing computer security (CS7053) as part of the Masters in Networking and Distributed Systems (NDS) and have supervised a number of NDS MSc dissertations (7 to date), and a PhD (Alex McMahon) and MSc by Research (Aidan Lynch). Last year's course materials are at

Past exam questions (with marking schemes/answer outlines) for my courses can be found at:

Dates Company Position
2007-2010 NewBay Software
Chief Technologist
1999-2003 Baltimore Technologies
Website seems to be defunct!
Chief Security Architect
Director of Research
Senior Research Associate

With NewBay I contributed to product architecture and creating product, services and operational security processes. I also established NewBay's internal patent scheme and filed a number of patent applications on NewBay's behalf. (See USPTO applications 20110004924 and 20100064377 if you care;-)

I began with Baltimore as Chief Security Architect, reporting to the Director of Research (a position I assumed in Spring 2000 until transitioning to part-time in May 2002 as Senior Research Associate, I only finally quit in June 2003). With Baltimore my main responsibilities included:

Baltimore are no longer in the technology buisness, though the company still seems to exist (sort-of). There's a wiki page about it (usual caveats!)

Earlier Employments

Dates Company Position
1992-1999 Software and Systems Engineering Ltd. (SSE), a Siemens company. (Defunct DNS name! Subsequently, SSE were subsumed into now also a defunct DNS name!)
Developer, then security architect for a range of security products. Occasional tasks included: Siemens-internal security consulting; Bid consultant; External consulting; Some standardization work
1991-1992 Silicon and Software Systems Ltd. (S3)
Project leader developing GSM test software (embedded systems) for Philips
1989-1991 Intrepid Ltd. Main security developer of telephone security product in startup company (Milcode: a CELP voice coder, encryption)
1986-1989 C.O.P.S. (Europe) Ltd. (partly re-formed as Realace Ltd following 1988 liquidation) Researcher, then project leader on EU funded R&D projects in security (ESPRIT MARS) and formal methods (ESPRIT METEOR).


Internet Drafts

These are all works-in-progress that may or may not become Internet RFCs.

Current Drafts

Expired stuff (might or might not get revived)










Book cover (not that nice;-)

"Delay and Disruption Tolerant Networking," Stephen Farrell and Vinny Cahill, ISBN 1-59693-063-2, Artech House, 2006.

There's a selection of book sellers here and another here. The publisher's page is here.











Internet RFCs

A note on RFCs as publications: Since I currently work in an academic institution, people care a lot about peer reviewed publications, but generally seem not to properly credit documents in the RFC series, so, with the aim of helping to redress this imbalance, here's a bit of history about one of the above RFCs. RFC 3281 is a standards-track document, published in April 2002 based on the 9th revision of the corresponding Interrnet Draft. The first version was published in April 1999 and during that three year period members of the IETF PKIX working group (with O(100) active pacticipants) publicly commented on the draft many times, for example, the list archive shows one thread discussing encoding issues that involved about a dozen different individuals. Over the entire period, perhaps O(100) independent comments were disposed of. Google scholar currently (Nov 2014) returns some 611 citations for this RFC.` The conclusion? Many, though not all, of the documents in the RFC series are important, high-quality publications that have undergone as thorough a review as a journal article and the fact that almost all aspects of that review are publicly archived gives the reader the chance to gain a much more fully-rounded understanding of the technology and its development.

Other Internet drafts

These are Internet drafts that I co-authored that were a bit interesting but didn't end up as RFCs for various reasons. They are, of course, all "expired," but still more or less available, though you might have to search.

Various activities

Things I do and don't get paid for (well, sort-of:-) Most-recent first

Academic and Industry Group-Things

Some standards things, some proposal reviewing and a few odds and ends (actually, some of this can be fun).

Programme Committees

These are the groups who review submissions for conferences etc. I've mostly stopped adding to this.


Things with slides but (mostly) no papers. I've stopped adding to this bit too







2004 and before