Re: [dsfjdssdfsd] evaluating stuff (was: Re: Any plans for drafts or discussions on here?)
"Jon Green" <jon@hosed.org> Thu, 23 January 2014 15:59 UTC
Return-Path: <jon@hosed.org>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE8031A001A for <dsfjdssdfsd@ietfa.amsl.com>; Thu, 23 Jan 2014 07:59:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDGeY2XCAe8Y for <dsfjdssdfsd@ietfa.amsl.com>; Thu, 23 Jan 2014 07:59:48 -0800 (PST)
Received: from firefly.encrypted.net (firefly.encrypted.net [72.13.81.186]) by ietfa.amsl.com (Postfix) with ESMTP id A92DA1A0005 for <dsfjdssdfsd@ietf.org>; Thu, 23 Jan 2014 07:59:48 -0800 (PST)
Received: from firefly.encrypted.net (localhost [127.0.0.1]) by firefly.encrypted.net (Postfix) with ESMTP id 5522917048; Thu, 23 Jan 2014 07:59:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hosed.org; s=default; t=1390492787; bh=CgBcbZMPLsLbOXZHYTVx+4XdVGHbYIKvXcNNIuMK0e0=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=E+DZmf6K2PGDjPbcDEHochNYCAYdLslNTJXDgI/7/2IK3zUyE+INeBoqHIfqIKBBv S+7+aUDBkYHOnG77GtCHyZbaEfTt9H0f/bccE4TM7Y6BJck4OOEpi/2w8zUQtx+NCv YHUvSfCC+O9wNBgknvFknTtKmeAMkDnSVL04n5oA=
X-Virus-Scanned: amavisd-new at encrypted.net
Received: from firefly.encrypted.net ([127.0.0.1]) by firefly.encrypted.net (firefly.encrypted.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VO7mMLrm5r-x; Thu, 23 Jan 2014 07:59:47 -0800 (PST)
Received: from jgreent410s (76-220-43-250.lightspeed.sntcca.sbcglobal.net [76.220.43.250]) by firefly.encrypted.net (Postfix) with ESMTPA id CC42F1706D; Thu, 23 Jan 2014 07:59:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hosed.org; s=default; t=1390492787; bh=CgBcbZMPLsLbOXZHYTVx+4XdVGHbYIKvXcNNIuMK0e0=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=E+DZmf6K2PGDjPbcDEHochNYCAYdLslNTJXDgI/7/2IK3zUyE+INeBoqHIfqIKBBv S+7+aUDBkYHOnG77GtCHyZbaEfTt9H0f/bccE4TM7Y6BJck4OOEpi/2w8zUQtx+NCv YHUvSfCC+O9wNBgknvFknTtKmeAMkDnSVL04n5oA=
From: Jon Green <jon@hosed.org>
To: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>, 'Krisztián Pintér' <pinterkr@gmail.com>
References: <52DD996F.3040708@cs.tcd.ie> <CAF4+nEHEWaSr3HMuGtQ=vQzuuhkTo2uNpedUTNgmT5NsWRsTfA@mail.gmail.com> <30316745-8091-46AD-95A1-407757489FF9@vpnc.org> <1737731959.20140122185149@gmail.com> <03f201cf17ee$e34ccbf0$a9e663d0$@hosed.org> <52E0E77E.5020800@cs.tcd.ie>
In-Reply-To: <52E0E77E.5020800@cs.tcd.ie>
Date: Thu, 23 Jan 2014 07:59:46 -0800
Message-ID: <04e201cf1854$23db5550$6b91fff0$@hosed.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG3sdi2ZRq1Hpg6dXIL/pF6U42SYgGC9VecARNdWnIB1CvuGgLUDWy9AkHNKyaadT3rAA==
Content-Language: en-us
X-Mailman-Approved-At: Thu, 23 Jan 2014 09:17:53 -0800
Cc: dsfjdssdfsd@ietf.org
Subject: Re: [dsfjdssdfsd] evaluating stuff (was: Re: Any plans for drafts or discussions on here?)
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 15:59:50 -0000
What I thought the topic was originally about was providing guidance to developers on dealing with randomness, should they choose to do that. My point was only that there are valid reasons a developer might be forced to deal with randomness rather than depend on the OS, and public-sector certification is one such reason. I know it sounds like paper pushing, but the people writing Common Criteria profiles really are trying to get vendors to do the right thing. They are also open to feedback from the vendor and developer community, and within the last year the CC community has started "technical communities" which are open to participation from anyone - for just that purpose. So if they are doing the wrong thing, there is an opportunity to correct them. In the case of entropy specifically, if you believe what is written here: https://www.niap-ccevs.org/pp/pp_nd_v1.1-add3.pdf ...it has done some good. By simply requiring vendors to think about the problem, it got them to uncover deficiencies and make improvements. BTW this is a useful document to read to understand what the government folks are going after when it comes to entropy. But back to your question: >So - how important is it that any new work in the IETF on >this topic be consistent with a requirement for implementations >to be evaluated via such schemes? Not important. The government certification people mandate that vendors implement IETF standards, not the other way around. Sometimes they pick subsets - for example "Product SHALL implement TLS 1.2, but only with specific ciphersuites (things based on various combinations of AES, RSA, ECDSA, ECDHE, etc.)" But no, I don't think we should let their requirements drive standards activity. -Jon -- Jon Green jon@hosed.org http://www.hosed.org -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, January 23, 2014 1:57 AM To: ietf@hosed.org; 'Krisztián Pintér' Cc: dsfjdssdfsd@ietf.org Subject: evaluating stuff (was: Re: [dsfjdssdfsd] Any plans for drafts or discussions on here?) (Great to see the discussion re-started, but I guess we can afford more than one subject line:-) On 01/23/2014 03:54 AM, ietf@hosed.org wrote: > Those of us who deal with FIPS 140 and Common Criteria are now being asked > to document entropy sources, First, my sympathies for having to deal with that. But I do wonder to what extent we're finding such evaluations really useful. I know they are formal form-filling requirements in various contexts, but I'm not so sure I'm that comfortable treating them as a first order requirement when it comes to things we do in the IETF. I have seen a number of credible arguments that such schemes, as applied to crypto implementations, are actually counter- productive. So - how important is it that any new work in the IETF on this topic be consistent with a requirement for implementations to be evaluated via such schemes? My take would be that that's not hugely important and should lose out to "doing the right thing," but given that some folks do need to suffer such evaluations, we should think about 'em but treat any evaluation-scheme-specific requirements only as nice-to-have level requirements. I expect vendors who are forced into doing it might disagree though. S.
- [dsfjdssdfsd] Any plans for drafts or discussions… Stephen Farrell
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Donald Eastlake
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Dan Harkins
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Paul Hoffman
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Dan Harkins
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Paul Hoffman
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Krisztián Pintér
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Donald Eastlake
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Dan Harkins
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Paul Hoffman
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Paul Hoffman
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Dan Harkins
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Paul Hoffman
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Dan Harkins
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Francis Dupont
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Francis Dupont
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Dan Harkins
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… ietf
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Francis Dupont
- [dsfjdssdfsd] evaluating stuff (was: Re: Any plan… Stephen Farrell
- Re: [dsfjdssdfsd] evaluating stuff (was: Re: Any … ietf
- Re: [dsfjdssdfsd] evaluating stuff (was: Re: Any … Jon Green
- Re: [dsfjdssdfsd] evaluating stuff (was: Re: Any … Paul Hoffman
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Krisztián Pintér
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Michael Hammer
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Krisztián Pintér
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Michael Hammer
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Paul Hoffman
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Henderickx, Wim (Wim)
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Krisztián Pintér
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Dan Harkins
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Michael Hammer
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Paul Hoffman
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Michael Hammer
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Krisztián Pintér
- Re: [dsfjdssdfsd] Any plans for drafts or discuss… Paul Hoffman