[Curdle] Advice on SFTP toward RFC?
denis bider <email@example.com> Fri, 16 February 2018 01:09 UTC
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05DA9126CF9 for <firstname.lastname@example.org>; Thu, 15 Feb 2018 17:09:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([220.127.116.11]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nyf0PL72HA52 for <email@example.com>; Thu, 15 Feb 2018 17:09:06 -0800 (PST)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A12A7124235 for <firstname.lastname@example.org>; Thu, 15 Feb 2018 17:09:06 -0800 (PST)
Received: by mail-qk0-x229.google.com with SMTP id c128so2023809qkb.4 for <email@example.com>; Thu, 15 Feb 2018 17:09:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=HJbyhHGOJTht+KziW2TQzSB6ncWOU3/e7aLay03GjmE=; b=UI+dsEdI4not8vso38OCeMYHfVqbrPqVGtcWpANis7ENwcRm42EsbouDBbIKrw4gyf dV3L+XDqRd7y+E5yi2IFGzhjBaBK+7PRzbvjFv/gTrsgVwtQo1N5KSO47oI+2R5tKA02 emz3rakV7wPyQ8QgQ3vXJNjBxs4ryMzIAvOUnRAt1iBgqHJRUjeIteD19kdjytE2RwUQ FAMv8S14ClABYjS//Qe058nunN3tblKbJNu9386LjwA4C9XLxSewL0mai5K0uOrsWoo1 ZF7RUrW1mmIvQZWnfOnraMm99ySZw/mvfsDt/3NGSuKreOFH5lky/Y62iIbP4xsGAguH d9Lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=HJbyhHGOJTht+KziW2TQzSB6ncWOU3/e7aLay03GjmE=; b=SJPMjYJ9+xy0djEFKL4G1VH/KzFm8oc1eK3J6IDRloH4btt6eQcdU13vuMVb/PFBoJ 3eQCp7uK3bpyp0dYcM5BaUzmVv75fBpIspeSPWSe4NcVLfxotaS9F8mkqa48Xs3/4A9m Y8vE5sYVOSbFAepemTU73YX/L5pwwCsgRlogs+6OuWTMu3PC79+REC7P6rXMjJPFe5h8 fkQLzzoLfAf6HU6b3HrDkoIrGpl2bikCmTxroaHetPV+/u52OKzQI59+ZiqiPBTLgxdf wv4+EKhfxpXSjWo4zxePq8GcWh1xKYS9aYNDvwu45kYpUAY3QcAzLf+Ma8tbPXJPS8kV WhpA==
X-Gm-Message-State: APf1xPCIM9aOUHYKYiAs4QtWzz9GAuaofIC+EL9xMvomlmKZxil0yjXs 78QSOxt+gnLw2tz39h/PvwtfBnDrvTXH8UdyEk5vwA==
X-Received: by 10.55.26.69 with SMTP id a66mr7506403qka.146.1518743345641; Thu, 15 Feb 2018 17:09:05 -0800 (PST)
Received: by 10.12.136.92 with HTTP; Thu, 15 Feb 2018 17:09:05 -0800 (PST)
From: denis bider <firstname.lastname@example.org>
Date: Thu, 15 Feb 2018 19:09:05 -0600
To: curdle <email@example.com>
Content-Type: multipart/alternative; boundary="001a1147a6549f3dc1056549fd25"
Subject: [Curdle] Advice on SFTP toward RFC?
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 01:09:09 -0000
Hey everyone, I understand this is not covered by Curdle's charter, but we've made some progress with SSH here, and I would like to seek any advice folks might have about the SFTP situation. I would be happy to receive any responses privately since prolonged discussion would not be relevant to the group. SFTP is a widely used internet protocol that exists in two main versions: SFTP v3 with OpenSSH extensions, and SFTP v6. SFTP v4 is also widely supported, but most v4 implementations now seem to also include v6. The schism happened over a decade ago when OpenSSH refused to adopt protocol enhancements to support non-Unix platforms. They argued SFTP v3 has everything it needs, which it does on Unix. But from a non-Unix perspective, everyone else thought it's not good enough, and better support for other platforms is needed. Because of this, there wasn't consensus, and SFTP did not become an RFC. Now, the result is that SFTP is a major internet protocol, and anyone who wants to implement it needs to follow this: https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02 ... for SFTP version 3, and this: https://tools.ietf.org/html/draft-ietf-secsh-filexfer-13 https://tools.ietf.org/html/draft-galb-filexfer-extensions-00 ... for SFTP version 6. In addition, a number of details are unclear and not documented fully. For example, OpenSSH encodes some packets differently than SFTP v3 prescribes, and implementations of check-file extensions are not compatible in practice due to different restrictions on their usage. I would think it worthwhile for SFTP to receive better treatment, and I think practical use justifies documenting both version 3 and version 6. Since both are widely used, I think it would be reasonable for this to be Standards track, not Informational. However, if I write a draft - or perhaps two drafts - I'm not sure who to turn to. I'm not sure there's a working group that this could be made part of. Is it possible to pursue Standards track as an individual submission? Should we create a working group with the purpose to document existing practice? denis