[dsfjdssdfsd] evaluating stuff (was: Re: Any plans for drafts or discussions on here?)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 23 January 2014 09:57 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 32A101A0390 for <dsfjdssdfsd@ietfa.amsl.com>; Thu, 23 Jan 2014 01:57:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.135
X-Spam-Status: No, score=-2.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id W8MMTJx8HRJg for <dsfjdssdfsd@ietfa.amsl.com>; Thu, 23 Jan 2014 01:57:21 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie []) by ietfa.amsl.com (Postfix) with ESMTP id EE7931A0349 for <dsfjdssdfsd@ietf.org>; Thu, 23 Jan 2014 01:57:20 -0800 (PST)
Received: from localhost (localhost []) by mercury.scss.tcd.ie (Postfix) with ESMTP id C6574BE55; Thu, 23 Jan 2014 09:57:19 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([]) by localhost (mercury.scss.tcd.ie []) (amavisd-new, port 10024) with ESMTP id w-+66UDaNR9L; Thu, 23 Jan 2014 09:57:18 +0000 (GMT)
Received: from [] (unknown []) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 51016BE38; Thu, 23 Jan 2014 09:57:18 +0000 (GMT)
Message-ID: <52E0E77E.5020800@cs.tcd.ie>
Date: Thu, 23 Jan 2014 09:57:18 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: ietf@hosed.org, 'Krisztián Pintér' <pinterkr@gmail.com>
References: <52DD996F.3040708@cs.tcd.ie> <CAF4+nEHEWaSr3HMuGtQ=vQzuuhkTo2uNpedUTNgmT5NsWRsTfA@mail.gmail.com> <30316745-8091-46AD-95A1-407757489FF9@vpnc.org> <1737731959.20140122185149@gmail.com> <03f201cf17ee$e34ccbf0$a9e663d0$@hosed.org>
In-Reply-To: <03f201cf17ee$e34ccbf0$a9e663d0$@hosed.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: dsfjdssdfsd@ietf.org
Subject: [dsfjdssdfsd] evaluating stuff (was: Re: Any plans for drafts or discussions on here?)
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 09:57:22 -0000

(Great to see the discussion re-started, but I guess we can
afford more than one subject line:-)

On 01/23/2014 03:54 AM, ietf@hosed.org wrote:
> Those of us who deal with FIPS 140 and Common Criteria are now being asked
> to document entropy sources,

First, my sympathies for having to deal with that.

But I do wonder to what extent we're finding such evaluations
really useful. I know they are formal form-filling requirements
in various contexts, but I'm not so sure I'm that comfortable
treating them as a first order requirement when it comes to
things we do in the IETF.

I have seen a number of credible arguments that such schemes,
as applied to crypto implementations, are actually counter-

So - how important is it that any new work in the IETF on
this topic be consistent with a requirement for implementations
to be evaluated via such schemes?

My take would be that that's not hugely important and should
lose out to "doing the right thing," but given that some folks
do need to suffer such evaluations, we should think about 'em
but treat any evaluation-scheme-specific requirements only as
nice-to-have level requirements.

I expect vendors who are forced into doing it might disagree