Re: [dsfjdssdfsd] Any plans for drafts or discussions on here?

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 22 January 2014 19:12 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7C631A02BF for <dsfjdssdfsd@ietfa.amsl.com>; Wed, 22 Jan 2014 11:12:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.747
X-Spam-Level:
X-Spam-Status: No, score=-0.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_21=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7vipdprgQQgb for <dsfjdssdfsd@ietfa.amsl.com>; Wed, 22 Jan 2014 11:12:08 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id AA1421A01AF for <dsfjdssdfsd@ietf.org>; Wed, 22 Jan 2014 11:12:08 -0800 (PST)
Received: from [10.20.30.90] (50-0-66-198.dsl.dynamic.sonic.net [50.0.66.198]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id s0MIpsf2001394 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 22 Jan 2014 11:51:55 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-0-66-198.dsl.dynamic.sonic.net [50.0.66.198] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAF4+nEE3b6aP9-PnTPET8GeaUJL0TGC7nDPimcrF6KAFu8ph_w@mail.gmail.com>
Date: Wed, 22 Jan 2014 11:12:02 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <2E83403A-659D-4671-813A-5FC55EC781FE@vpnc.org>
References: <52DD996F.3040708@cs.tcd.ie> <CAF4+nEHEWaSr3HMuGtQ=vQzuuhkTo2uNpedUTNgmT5NsWRsTfA@mail.gmail.com> <30316745-8091-46AD-95A1-407757489FF9@vpnc.org> <1737731959.20140122185149@gmail.com> <CAF4+nEE3b6aP9-PnTPET8GeaUJL0TGC7nDPimcrF6KAFu8ph_w@mail.gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
X-Mailer: Apple Mail (2.1827)
Cc: dsfjdssdfsd@ietf.org
Subject: Re: [dsfjdssdfsd] Any plans for drafts or discussions on here?
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2014 19:12:09 -0000

On Jan 22, 2014, at 10:13 AM, Donald Eastlake <d3e3e3@gmail.com> wrote:

> Hi Paul,
> 
>> Paul Hoffman (at Tuesday, January 21, 2014, 2:28:26 AM):
>>> It still feels very wrong
>>> for us to be suggesting to application developers that they should
>>> be doing their own randomness; they should be asking their OS unless
>>> they are experts, and those experts don't need an RFC.
> 
> I don't understand why you think having an RFC means that applications
> developers are supposed to implement what is described in that RFC.

Why else write the RFC? Is it for developers who work on /dev/random in various OSs? If so, there is a whole different set of problems with the document, which we discussed during the round before this.

> The IETF does lots of non-application level RFCs.

Sure, and if this is one of those, you need to say that clearly. That's why I said I wanted to see what changes you were making in the -01.

> I don't agree that
> it is clear who is an expert in this area. I don't agree that any
> person believed to be an expert will, in the absence of documentation,
> know or take into account all the aspects of what might be called best
> current practice in this area.

Sure. However, I also don't think the document describes what are "best", much less "current", practices in the area. The permathreads on the cryptography mailing list makes it really clear that there is no agreement on what is "best" even among active crypto developers. They also show that many people don't even know what is "current": Ted Ts'o has had to tell folks a few times that their new ideas are in fact already implemented, at least in Linux.

> IETF specifications that call for
> quantities unpredictable by adversaries need to reference something.

Yes.

> Should they just reference the NIST documents?

Definitely not.

--Paul Hoffman