Re: [CFRG] CFRG does standards and that is a general problem. Was Re: OCB does not have an OID specified, that is a general problem

Colin Perkins <csp@csperkins.org> Wed, 09 June 2021 14:15 UTC

Return-Path: <csp@csperkins.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E1A3A18C6 for <cfrg@ietfa.amsl.com>; Wed, 9 Jun 2021 07:15:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=csperkins.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDoYqPkXZhhB for <cfrg@ietfa.amsl.com>; Wed, 9 Jun 2021 07:15:44 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C946A3A18C8 for <cfrg@irtf.org>; Wed, 9 Jun 2021 07:15:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=csperkins.org; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=nr7fbZVYuCAOltBjat5s9ynkKwUyceoQkah93hb05iI=; b=BovLyWshYNwiNXoDMQfJX9W+4m fneaGrkHQHf7xKcrYh7FwThXG/BdW7M3NLxtPFGC+fo5weo3jFayMgqctXSe3AhjxbNgN1WIV3veE eIPqBak3RJYXIvLzuHpr4z5jcuqYwl+KqmZizvUpGDyjKeBNA+PQIkNBxUeu1imcuglkCQcHv2cEf 4tHK7Y0sD4QIlv+X5jNhmBcCB2i79dUzOXM84K2bN5p4uTfDaOQ+W6qf5PTHv7geXOQnGMt3oR+7c e7/w8cq3HUHF0WeUhpjp0UmXX5hQ9gTBLozz8PKS4Uk4gPsz7wbrU3nJWaXHpKKxeOEExitucv0yU cBlai8Nw==;
Received: from [81.187.2.149] (port=48342 helo=[192.168.0.69]) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <csp@csperkins.org>) id 1lqyzd-0004qQ-Cr; Wed, 09 Jun 2021 15:15:41 +0100
From: Colin Perkins <csp@csperkins.org>
Message-Id: <6B53EE19-800C-4CA2-A802-4DD9550F4BEA@csperkins.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F2108A22-1E30-42E5-A59C-91AF4E29E6F0"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Wed, 9 Jun 2021 15:15:35 +0100
In-Reply-To: <d1788788-6478-3a33-b08a-c0189dc9acd6@nthpermutation.com>
Cc: cfrg@irtf.org, IAB <iab@iab.org>, The IESG <iesg@ietf.org>
To: Michael StJohns <msj@nthpermutation.com>
References: <CAMm+Lwizfw6=T28gGOgeGZ=4CEHsQ5BoWcAt5mOWbyJHLVJmuQ@mail.gmail.com> <B73FB6B1-3EFC-4AEA-9A99-8C047F478944@akamai.com> <773badc5fdc04c41a5ceea7ad4fe29fe@cert.org> <d1788788-6478-3a33-b08a-c0189dc9acd6@nthpermutation.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-BlackCat-Spam-Score: 14
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dePUzoZQu6wMJhOBIdr7arHuWnM>
Subject: Re: [CFRG] CFRG does standards and that is a general problem. Was Re: OCB does not have an OID specified, that is a general problem
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2021 14:15:50 -0000

> On 8 Jun 2021, at 17:37, Michael StJohns <msj@nthpermutation.com> wrote:
> On 6/7/2021 9:53 AM, Roman Danyliw wrote:
>> I would like to propose that in future assignment of relevant OIDs and             JOSE identifiers be considered a requirement for similar work. If a spec for a symmetric mode isn't sufficiently specified to enable interoperable implementation in CMS and JOSE, it is not sufficiently specified to be an RFC.
>> That’s a reasonable thing to ask for, and something that could be caught by SECDIR or AD review.
>> 
>> [Roman] Agreed in the general case for the IETF stream.  For RFC7253, this review would have been during IESG conflict review because that document was IRTF stream (which doesn’t have an SECDIR review, AD review or even an IESG ballot).
>> 
IRTF stream drafts do get IRSG review before publication, but equally one of the reasons we have IESG conflict review is to catch this sort of thing if it's missed.
> This seems to be yet another reason why the CFRG should be a WG and not an RG. 
> 
You’ve repeatedly raised this point. The IRSG considered it, and the CFRG chairs and IAB discussed it in the last IAB review of CFRG. Each time, we concluded that the CFRG is best placed be able to bridge the cryptographic research community and the IETF as an IRTF RG.
> I know this is not a popular opinion, but I think by keeping the CFRG in the IRTF, we're actually hurting the IRTF.   In the deep murky history of the IRTF, the organization was originally (post Kobe) meant to be a place for exploration of a lot of different points of view.  The concept of a RG "adopting a draft" was pretty much anathema - the idea was for lots of competing ideas to make it through the publication filters after some peer review and thence on to the broader community for consideration within the protocol development community.
> 
Kobe was a long time ago. Organisations and processes evolve. 
> It was not to come to a "consensus" on the one true way.  It should be possible to go into a RG with an idea that meets the general theme and is at least plausible, without having to "win" a race of competing proposals, and come out of it with an RFC in much less than 2 years - even as an individual contributor.  I'm not sure that's still possible.
> 
I note that draft-oran-icnrg-qosarch-06 is currently in the RFC Editor queue as a non-consensus document on the IRTF stream. The initial draft was submitted in August 2019. CFRG works in a particular way. Other RGs can, and do, work in different ways.
> At this point, the IRTF is looking more and more like a more closed version of the IETF with many procedures mostly indistinguishable from the IETF.  A number of RGs even have IANA actions for their documents and that suggests standards creation is bleeding into the IRTF in a way that will diminish the worth of the IRTF as a place for ideas rather than finished designs.
> 
One of the roles of IRTF is to publish experimental protocols, to document ideas that are being prototyped to see if they’re usable at Internet scale, and to help the research community conduct deployment experiments. Sometimes those experimental protocols need parameter registries, so other experiments can build on top of them without conflicts. This can be abused, like everything, but I don’t see the concept of IANA registries in IRTF RFCs as inherently problematic.
> In the instant discussion, OID assignment should be done using IETF procedures.  And discussions on changes to IETF procedures are (or should be?) probably out of scope for an RG.  

Changes to the IETF procedures can only be made by the IETF, certainly, but the participants an IRTF RG can discuss whether they think those procedures ought to change, and whether they want to propose such a change to IETF, same as participants in any other venue can have such a discussion. 

-- 
Colin Perkins
https://csperkins.org/