IETF Logo Mail Archive

Re: [Curdle] Kathleen Moriarty's Yes on draft-ietf-curdle-ssh-dh-group-exchange-05: (with COMMENT)

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Fri, 15 September 2017 14:04 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5840132939; Fri, 15 Sep 2017 07:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwgyxlJu0WL9; Fri, 15 Sep 2017 07:04:34 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8231312421A; Fri, 15 Sep 2017 07:04:34 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id t127so1493335ywg.4; Fri, 15 Sep 2017 07:04:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ByFee6hLCxNr1UxQKL5gEa6/PM81kaEHAAcauvH3Gg4=; b=su755E9e71Bqrm1Xt8CTQtrEbVa83gr3yPYOq4IbQbv78B4sUd+FhdXGFkWFSSLDET q1uH0EnbXFKXJ5EtPD4rmEzUmbT5FhTvBK8duHoLHIplGBQgYBio6x3J1/EywClZxTfl mfRgpAVX223paG1J6jnLkojGOfKRDtyHHcPYLv7Pf55EdOTswUo4Zug0tZlxHueaS5fI toW5wD8UbItBOdsPW4AQx45ePfKieALHJuHQKoNm9zD/2LwhcQTVvIbv53sNNOeMG9Tm 2CatmhQHzY2CFAWoWZWp/5lte1+Q8Uj1G1zDEPESiZDohVb4JotXYpOlsMVNq1YoHNeQ hHhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ByFee6hLCxNr1UxQKL5gEa6/PM81kaEHAAcauvH3Gg4=; b=EppgG3Nrhx9Kt/Byr8+zy1VBF8dlek2H86qyhlS6laGRa/UBbIXR+IE5sOemQxIOo8 UlO9mMpHiOY2o/fT67vS89+BZ1oqrx6dyTWj4WcQIZBCfl9tvhSnRHpg+6xtUpVo48g2 9zElJorphHh6O2ndTeBFm2lDAbeCcIaPJYgi2aTqFSFwbeRureG31dgNVK5Sfh9cKdOA OzjZnShWqqCADqTsp6JyAFTLCGU/I/ydy0Ok6O3MxpPhnl/nDgEjssTbJDBO1QhnTZx/ 0UnyVxObYyNhg3512V8tnowkCWE/DEpgSo6nt1jM1d6zEw+Uwph8S9q2BsCV91R6FMHr 86Cg==
X-Gm-Message-State: AHPjjUg3MGZ7UrD+I73MfeRCo2nHA71F/215vQmR/LQa+cCXp0510hTV OKi9cUlzMBSN0/UrolTvJk9QfNewABhOkOVEGv8=
X-Google-Smtp-Source: AOwi7QBBkeUS4OM1pt7PSU1BqlKY2mE2+bWPhem1ytZCcUKzgsUTTjkQsndlklC6SN2GfbN+0AhjWj91m3fh85lC6J8=
X-Received: by 10.129.135.68 with SMTP id x65mr5299440ywf.8.1505484273606; Fri, 15 Sep 2017 07:04:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.2.15 with HTTP; Fri, 15 Sep 2017 07:04:33 -0700 (PDT)
In-Reply-To: <CAFDEUTdXRo4MG2=RR+gB0yYpnr1o229qpp+aOaMaDPc6qmnogg@mail.gmail.com>
References: <150532612778.30489.12003202456500621755.idtracker@ietfa.amsl.com> <CAFDEUTdXRo4MG2=RR+gB0yYpnr1o229qpp+aOaMaDPc6qmnogg@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Fri, 15 Sep 2017 09:04:33 -0500
Message-ID: <CAKKJt-etZb1nnXuhxsDZVu2oRUaqUxyD3-xG_0gVVOaQZdZqbQ@mail.gmail.com>
To: Loganaden Velvindron <logan@hackers.mu>
Cc: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, draft-ietf-curdle-ssh-dh-group-exchange <draft-ietf-curdle-ssh-dh-group-exchange@ietf.org>, curdle <curdle@ietf.org>, curdle <curdle-chairs@ietf.org>, The IESG <iesg@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>
Content-Type: multipart/alternative; boundary="001a114f095657e39105593adfeb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Yf-3MIjJsrQz7zgyGKDATbKYios>
Subject: Re: [Curdle] Kathleen Moriarty's Yes on draft-ietf-curdle-ssh-dh-group-exchange-05: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2017 14:04:37 -0000

So, Kathleen's ballot thread, but since she and I share this curiosity ...

On Fri, Sep 15, 2017 at 6:01 AM, Loganaden Velvindron <logan@hackers.mu>
wrote:

> On Wed, Sep 13, 2017 at 10:08 PM, Kathleen Moriarty
> <Kathleen.Moriarty.ietf@gmail.com> wrote:
> > Kathleen Moriarty has entered the following ballot position for
> > draft-ietf-curdle-ssh-dh-group-exchange-05: Yes
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut this
> > introductory paragraph, however.)
> >
> >
> > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.
> html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-dh-
> group-exchange/
> >
> >
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > I do agree with Spencer, the text that is non-normative reads as if this
> is
> > fully deprecating any recommendation below 2048, but then the normative
> text
> > just says SHOULD.  Is there a reason this is not MUST?  I know
> deprecating
> > things takes a long time.
>
> Yes, it takes a long time, and also because of backward compatibility.
> We felt that "SHOULD" was sufficient at the time.


That doesn't surprise me (speaking only for myself).

It might be helpful to add a sentence explaining that the SHOULD is for
backward compatibility.

That changes the incentives a bit - implementers have more incentive to
implement a SHOULD if it's not a MUST *yet*, but when the community stops
worrying about backward compatibility, it could be, and then other
implementations won't interop with yours.

And, for extra credit, that could happen suddenly, if someone posts a
clever attack on 1024-bit keys that requires minimal computing resources
and includes an implementation that anyone can pick up ... so everyone else
stops accepting shorter keys, like, today.

But do the right thing, of course.

Spencer

v2.23.0 | Report a Bug | By Email