Re: [CFRG] Escalation: time commitment to fix *production* security bugs for BLS RFC v4?

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 24 April 2021 17:53 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C74563A18F0 for <cfrg@ietfa.amsl.com>; Sat, 24 Apr 2021 10:53:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wM9XrtUpKNU for <cfrg@ietfa.amsl.com>; Sat, 24 Apr 2021 10:53:36 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 265C93A18EE for <cfrg@irtf.org>; Sat, 24 Apr 2021 10:53:36 -0700 (PDT)
Received: from [10.32.60.48] (76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id 13OHrpd8024133 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 24 Apr 2021 10:53:52 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70] claimed to be [10.32.60.48]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Quan Thoi Minh Nguyen" <msuntmquan@gmail.com>
Cc: cfrg@irtf.org
Date: Sat, 24 Apr 2021 10:53:31 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <413D8017-047F-4A86-BEDD-7BED6BBB972B@vpnc.org>
In-Reply-To: <A1765592-7AF7-4F3A-8B22-C5BD6C059A7C@akamai.com>
References: <CAAEB6g=tU=MF1_QKduEN55ft0rWe+7x0wBbywS083fJrjzP=XA@mail.gmail.com> <20210423195504.d6f74x4jsdrzagcc@muon> <CAAEB6g=dcsRKz6zm7F15F-uZ7Zfi_qF06KwQXmrireKEKZYHFg@mail.gmail.com> <49ca86ec6409217d60e3f2e94e3090ef2b571f80.camel@loup-vaillant.fr> <A1765592-7AF7-4F3A-8B22-C5BD6C059A7C@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2clgMQK_7jnmZJtbZ67A5Q_0iZM>
Subject: Re: [CFRG] Escalation: time commitment to fix *production* security bugs for BLS RFC v4?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Apr 2021 17:53:39 -0000

On a tangential note, but one that is relevant to your complaint:

- Internet Drafts are absolutely not RFCs. RFCs always have been more 
reviewed than Internet Drafts. That is, even the "final" draft that is 
given to the RFC Editor has additional reviews that sometime surface 
technical bugs that must be fixed before the RFC is published. As others 
have pointed out, implementing from an Internet Draft comes with 
significant risks.

- The CFRG does not create standards. All RFCs from the CFRG have a 
status of "informational", not "standard". They might be treated as 
standards by implementers, but they are not in fact standards. In the 
IETF, standards have more reviews than CFRG RFCs.

(I note that https://github.com/cfrg/draft-irtf-cfrg-bls-signature 
incorrectly uses the word "standard" at the top of the repo. Maybe the 
CFRG chairs could review all of the repos in https://github.com/cfrg to 
make sure that their wording is accurate.)

--Paul Hoffman