Re: [Curdle] Time to Review IANA SSH Registries Policies?

Phillip Hallam-Baker <> Wed, 03 February 2021 20:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7EC223A1119 for <>; Wed, 3 Feb 2021 12:16:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JlFfGEztAcdr for <>; Wed, 3 Feb 2021 12:16:35 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3ED203A1116 for <>; Wed, 3 Feb 2021 12:16:35 -0800 (PST)
Received: by with SMTP id m76so889564ybf.0 for <>; Wed, 03 Feb 2021 12:16:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DMS43Oghh69SwdN/03zuGvKheUAzy32p62OATE4bXfQ=; b=KlXtRIM09KhfaW46S1cY8S5m6BtOc40vZ6hgnDjzapzHZdMQZe/RNb7ek+D7xNfHwY dZc0W7oelvqIh2nojD0aPIDdJydcmkawi8CbjwYXUDQjPv4ZHMxbjCWgXdp1v5EwRCw7 14ceGObvg55vK6Mos/6TG/IGWNQIt2kyRa+Q3RbtdyCHfvp4zgrvDyYhdfoR2yBT4HV1 XkJA1fdS6BX1ZYLHPMhTjdlvQJ+1y9vfynnKiwE6lYDpkJGcFEpCadKrSlpl9QltltuS Cc2Q9Tt9WbTuoobD6KSf1fAkESqNJ02FejSdGCTLysaM2Q4GXjmbhpBl4KLcRBB7R3w9 J3Ew==
X-Gm-Message-State: AOAM530FkJ6R2m6VBuP6r2KsZOssz5Y1y3LWgoX0TMkHDce9Mm/wVZAx pt9xBOO3hFUozGDUiM0LoL///YgoAPhAKGxvQ/Q=
X-Google-Smtp-Source: ABdhPJzpURFtfF6xOLRsy/KUh32xs/omhtGYy4gvK0VTkCnx2mVyzuwWOPzYFkefIJUlaYwJ+NwQaqx4XHb2cWWPl7w=
X-Received: by 2002:a5b:444:: with SMTP id s4mr7271115ybp.172.1612383394196; Wed, 03 Feb 2021 12:16:34 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Wed, 3 Feb 2021 15:16:23 -0500
Message-ID: <>
To: "Salz, Rich" <>
Cc: Sean Turner <>, Curdle List <>
Content-Type: multipart/alternative; boundary="00000000000073f15a05ba74437b"
Archived-At: <>
Subject: Re: [Curdle] Time to Review IANA SSH Registries Policies?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Feb 2021 20:16:37 -0000


Restrictive registration requirements contradict the principle of
'permissionless innovation'. If the IETF is the place you go to get
permission to innovate, we are doing it wrong.

Restrictions on registration are also counterproductive as they don't stop
people innovating, they just stop the innovations being tracked accurately.
When the SAML TC asked me to register SRV code points for SAML, the
response I got back from IETF was of the form, 'we have set up a committee
to look at forming a WG to decide on procedures for registering new
services, come back in five years, maybe'. So I wrote my own and those are
the standard SRV discovery tags for SAML.

I would like the IAB to put out a policy that every registry be made open
registration except in cases where the code space itself is limited (e.g.
IP version numbers, Port numbers, etc.).

This should even be the case for cryptographic algorithms. In fact it
should be especially for cryptographic algorithms because we don't really
do any reviews for security except to reject the ones we know are absurdly
rubbish. We just don't have bandwidth to do any vetting beyond the tiny set
of algorithms we use ourselves.

So where do RFCs, documentation and expert review come in? I think they
still have a place but think of this more as an star rating.

1 Star: The code point has been registered to a named purpose which may or
may not be intelligible.
2 Stars: As 1, plus the purpose described in a document which is accessible
3 Stars: As 2, plus an expert has reviewed the document, it is not
obviously stupid.
4 Stars: As 3, plus there is a published RFC
5 Stars: As 4, plus the spec is a proposed standard.

And we can also add in 0 stars for the case where multiple parties contest
the use of the same code point and as a result it leads only to pain,
misery and death.

On Wed, Feb 3, 2021 at 2:55 PM Salz, Rich <>

> Speaking as an individual,
> > Is there interest in reviewing the SSH registries to see if it makes
> sense to move them to expert review (or some other level)?
> I support this and would contribute to the review.  (I'm author of a draft
> which is currently in the WG adoption phase;
> _______________________________________________
> Curdle mailing list