IETF Logo Mail Archive

Re: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 11 December 2015 04:29 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D53531A6EF0 for <cfrg@ietfa.amsl.com>; Thu, 10 Dec 2015 20:29:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnArnwfldQ42 for <cfrg@ietfa.amsl.com>; Thu, 10 Dec 2015 20:29:14 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 113141A6EED for <Cfrg@irtf.org>; Thu, 10 Dec 2015 20:29:14 -0800 (PST)
Received: by lbbkw15 with SMTP id kw15so63369606lbb.0 for <Cfrg@irtf.org>; Thu, 10 Dec 2015 20:29:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=2g4fajlyJV16fIz++aPh7I9ZmBC7IDFAJjjoZ5FXHNQ=; b=NxiYPRg8QvUB5gyKHZCRlFCx1eWS4XdaQZTkPFgtUqXgin36KgcXsdEHuUbmfyOdTx e1XfYyrGCChyuShuKtIanqrNJN8VDEU789xAcpPXFyuai5jH7nrqJgVEMRReWQJD/iyo 8pQ5K34TNv5Aw4JxOHje2sPSg4bo/zKD97Ahf627Wb5rVyIqyXJr5drz2PhbamoJp/1n N0usWdM1wCBuUllbl/K0AQwX3HbYeZjE1zcJ5lo6N09h2WXA8KsenGfpAj35KGCLdLyi j1iGsCwlyP67V3/tDqJEQ45aupe77EJ1n92pgl2dX/ly/d6OuoCr2+Y+NFK8oQhkMVn/ RNgQ==
MIME-Version: 1.0
X-Received: by 10.112.54.193 with SMTP id l1mr6781035lbp.58.1449808152212; Thu, 10 Dec 2015 20:29:12 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Thu, 10 Dec 2015 20:29:12 -0800 (PST)
In-Reply-To: <5668D7A3.1070103@cs.tcd.ie>
References: <5668D26F.2020200@cs.tcd.ie> <5668D7A3.1070103@cs.tcd.ie>
Date: Thu, 10 Dec 2015 23:29:12 -0500
X-Google-Sender-Auth: 5idJ63-hMo3tjYSLNc-wRBTgluE
Message-ID: <CAMm+LwhEM_XK5aE4uXe+Y6cnfqaQ-Ng20k=O6v8Fo1xGPY-ypg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a11c3a914e7bc0c052697c3b7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/WqkCBUsUkxFuuxfGHf67Fe4SByg>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>, Nevil Brownlee <rfc-ise@rfc-editor.org>
Subject: Re: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2015 04:29:16 -0000

On Wed, Dec 9, 2015 at 8:38 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> The IESG has another of those conflict reviews on Dec 17. In this
> case I doubt there's a process conflict (see below for details)
> as this is documenting some more details of the GOST suite which,
> as a national algorithm suite, kind of just is what it is.
>
> But as a non-cryptographer, I'd be happier if in future things
> like this (or non-national "vanity" algorithm descriptions) had
> gotten some review from CFRG, however I'm not sure if folks here
> would be generally willing to do that kind of review.
>
> The reason I'd like review is so that we have a better idea of any
> issues or caveats or cautions when/if the proponents of such
> algorithms come calling at the IETF's door for code points to
> use their algorithm in TLS/IPsec or whatever. (Which they usually
> do do.)
>
> If this was done informally and we got prompt and good reviews I
> think that'd be a fine thing, but if we try formalise it, then we
> might end up with some tricky process issues. And I'm not sure if
> folks here would be willing to do such reviews or able to get them
> done when needed (there aren't too many drafts like this but they
> do come along now and then in a reasonably constant dribble).
>

I would prefer that neither the IETF nor the IRTF did any crypto reviews
and no RFCs were issued or needed unless it was for an algorithm to be used
as RECOMMENDED or REQUIRED.

The rationale for this is that regardless of what status IETF considers a
document to have, outsiders naturally assume that every RFC is an IETF
recommendation. Trying to teach the world otherwise is futile.

While some protocols do have limited code points available, it is almost
certainly possible to extend these by allocating a code point for and
extension scheme. And I would use OIDs for the extension scheme rather than
IANA issued identifiers to further distance IETF.

Either review thoroughly or not at all. Leading people to think the
algorithm has been reviewed when it has not is only going to lead to tears.

v2.23.0 | Report a Bug | By Email