IETF Logo Mail Archive

Re: [art] Call for Consensus: Re: On BCP 190

John C Klensin <john-ietf@jck.com> Tue, 20 August 2019 18:34 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE9C21207FE for <art@ietfa.amsl.com>; Tue, 20 Aug 2019 11:34:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0TYkpE2PGhX for <art@ietfa.amsl.com>; Tue, 20 Aug 2019 11:34:02 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7DBD120046 for <art@ietf.org>; Tue, 20 Aug 2019 11:34:01 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1i08xA-000LE3-A4; Tue, 20 Aug 2019 14:33:56 -0400
Date: Tue, 20 Aug 2019 14:33:49 -0400
From: John C Klensin <john-ietf@jck.com>
To: Adam Roach <adam@nostrum.com>, Mark Nottingham <mnot@mnot.net>
cc: Jacob Hoffman-Andrews <jsha@letsencrypt.org>, ART Area <art@ietf.org>, Devon O'Brien <devon.obrien@gmail.com>
Message-ID: <C4BE71284D3C8DCA4F8F2187@PSB>
In-Reply-To: <80bb60b7-cdc7-0df8-6a33-726839b15dfe@nostrum.com>
References: <58BF6171-03BB-4F83-940F-3A101EFDD67F@mnot.net> <CAN3x4Q=Jo1uBvfCG6CSrociYgdG+E4jq+4cB1txPjgboth2q9g@mail.gmail.com> <372FA049-7B33-4981-A0E0-41BD454CB770@mnot.net> <CAN3x4QmJsfx48MdhcBB+XWX+vfv=skSR2Z6kNPBWGVobvzNuFA@mail.gmail.com> <004601d5450d$62b33220$28199660$@acm.org> <CAN3x4Q=XR+=ugv6HEmOgsA6v64GkQ+4u-Hk+OBQ0Lp9jn-Cy=A@mail.gmail.com> <D154BA24-5027-4FAF-8779-CBA5533D24A1@mnot.net> <3000e948-14e6-80d2-e8e6-766d309c361c@nostrum.com> <ed64dc0e-5b71-63ec-cbac-85673c51109a@nostrum.com> <301DF34E4C5601BCA4D2BCBF@PSB> <A27BC0BC-B60A-44AD-B75B-859C71B0706A@mnot.net> <E02E5D4BA18EF0155B0EAE95@PSB> <80bb60b7-cdc7-0df8-6a33-726839b15dfe@nostrum.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/UtZhtWTqYY5_Z86ounzPc1_fXaI>
Subject: Re: [art] Call for Consensus: Re: On BCP 190
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 18:34:04 -0000


--On Tuesday, August 20, 2019 12:14 -0500 Adam Roach
<adam@nostrum.com> wrote:

> On 8/20/19 5:55 AM, John C Klensin wrote:
>> * For Adam, there is some question in my mind about whether it
>> is desirable to clear a Discuss based on a plan about a
>> document that has not been written yet, that has no firm
>> schedule, etc.
> 
> 
> I agree that it's not ideal. I'm having to balance the
> possibility that the end result of community discussion will
> result in not removing this restriction against delaying the
> TRANS document until we're 100% certain. Given that we've done
> a reasonable shaking of the trees over the past month, and no
> one has dropped out to strongly defend the specific provision
> in question, it appears likely that the end result will work
> out. Is this perfect? No. Is it pragmatic? Yes; and you've
> been championing pragmatism in this thread, so I would expect
> you to be on board.

I am on board (a bit more explanation in my response to Ben).   

I don't think we are far apart, so let me try saying this in a
different way.  I think there is at least rough consensus that
parts of RFC 7320 were a mistake, whether because their were
overly prescriptive or for some other reason.  I don't think
there is consensus about which parts or what the right remedy
for them is.  The best way to deal with that problem is exactly
what you and Mark have proposed -- get a new, replacement, I-D
up and focus on it rather than on picking 7320 apart.

In a more perfect world, I'd like to see 7320 deprecated, with
the focus on that new document and no actual or apparent
conflict between CT and anything.  If that were proposed now,
I'd oppose it because it would hold the other work up by at
least four weeks to no good purpose.  On the other hand, while I
don't think it is important enough to hold things up either, I'd
be happier with a statement from you that, instead of saying
that you are clearing the Discuss because Mark is working on a
revision, said something closer to that you are clearing the
Discuss because there is a plan about a revision but, if that
doesn't happen, you will open a discussion about deprecating
7320.  Don't waste time with it now, but I believe that thinking
about the difference might inform future actions and might
better explain what I'm objecting to.

Also...

>...
> I suspect that part of the problem is that you're too close to
> ART technologies to see the forest for the trees, and so
> assume a level of expertise in ART technologies across the
> entirety of the IETF that is somewhat higher than actually
> exists.

I actually don't think so in this case.   FWIW, remember that
I'm spending most of my IETF time these days on
Internationalization, a topic area that has been rooted in Apps
and now ART but that his implications in many IETF areas.  It
would it would be quite difficult to underestimate the level of
expertise across the entirety IETF or even in ART as a whole.
So I am reasonably familiar with that problem. 
 
> This might become clearer if we hypothesize an identical
> situation with the players reversed: if an ART working group
> had specified the population of an initialization vector for
> an encryption algorithm in a way that had been documented by
> the SEC area as problematic, I would hope that the SEC ADs
> wouldn't write that off as simply representing "newer
> thinking" about cryptography, and that they would insist that
> the document conform to documented security practices; or,
> failing that, at least involve the SEC community in a
> discussion about whether the specific use of security
> technology was, in fact, problematic.

Agreed.  But not quite an identical problem.  If this had been
about, e.g., an issue with calendaring, I'd say "nearly
identical problem".  If there were reasonably high confidence
that the active participants in the WG understood the issues
(and, btw, there were more than three or four of them), I would
also expect that most of us would be comfortable going forward
within in-depth review from elsewhere in the IETF.   However,
that is much less true of things like URIs or some other
web-associated technologies, especially when the IETF is
considering foo-over-HTTP protocols and XML and JSON as general,
and perhaps mandatory, data representation structures.  Similar
comments can be made about i18n because, while much of the
action is in ART, there are issues about identifiers and other
issues in multiple areas --Security and Internet being obvious
examples-- that the IETF is in trouble if all of the expertise
is in ART and others become inclined to just let things go
(especially given how little expertise there actually appears to
be in ART).

There is another difference.  In the example you used, it would
be reasonable to assume that the documentation in the SEC area
actually represented consensus  in the area and among experts (I
think, at least historically, almost the same thing in SEC,
although not quite) about the problems.   I don't believe that
is the case about 7320 across the ART area, as some of the
discussion _among active participants in ART_ in the various
recent threads about BCP 190 illustrates.  I don't believe it
was the case five years ago either, but that would be hard to
prove at the time.  That suggests an intra-ART problem and is
closely connected to why I've felt from the beginning of this
discussion that the IETF had a BCP 190 problem and not a problem
with the CT work.  

So, should ART have flagged this?  Absolutely.  But then I think
we should have figured out, much more quickly than we have, that
there are fundamental problems with BCP 190, started addressing
those problems a month or two ago, and figured out how to Do the
Right Thing and move on -- both to clear the CT work to progress
and to start cleaning up 7320.  


> If you think that would be the wrong outcome, then I believe
> we simply have an irreconcilable difference of opinion. I
> will, of course, consider input from the community on this
> topic and act accordingly, but I suspect that most people
> will, after careful consideration, agree that these kinds of
> backstops are actually useful.

I think that is the right outcome.  I also think that at least
part of that outcome is tied up with what we (at least used to)
call cross-area review.  I don't think the IETF is doing nearly
as well about that as we used to.  That is mostly a separate
topic, but I think it calls for extra caution.  

best,
    john

v2.23.0 | Report a Bug | By Email