Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?
Keith Moore <moore@cs.utk.edu> Wed, 01 June 2005 19:34 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DdYyw-0005yj-A4; Wed, 01 Jun 2005 15:34:26 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DdYyu-0005yW-5A; Wed, 01 Jun 2005 15:34:24 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA19412; Wed, 1 Jun 2005 15:34:20 -0400 (EDT)
Received: from klutz.cs.utk.edu ([160.36.56.50]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DdZIl-00061U-Tm; Wed, 01 Jun 2005 15:54:57 -0400
Received: from localhost (klutz [127.0.0.1]) by klutz.cs.utk.edu (Postfix) with ESMTP id 3BD994010E; Wed, 1 Jun 2005 15:34:22 -0400 (EDT)
Received: from klutz.cs.utk.edu ([127.0.0.1]) by localhost (klutz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29851-08; Wed, 1 Jun 2005 15:34:19 -0400 (EDT)
Received: from astro.cs.utk.edu (astro.cs.utk.edu [160.36.58.43]) by klutz.cs.utk.edu (Postfix) with ESMTP id B61F840023; Wed, 1 Jun 2005 15:34:19 -0400 (EDT)
Date: Wed, 01 Jun 2005 15:34:19 -0400
From: Keith Moore <moore@cs.utk.edu>
To: Sam Hartman <hartmans-ietf@mit.edu>
Message-Id: <20050601153419.5b75e405.moore@cs.utk.edu>
In-Reply-To: <tslbr6php2n.fsf@cz.mit.edu>
References: <tsloeaqgc2s.fsf@cz.mit.edu> <20050601144334.0165488d.moore@cs.utk.edu> <tslbr6php2n.fsf@cz.mit.edu>
X-Mailer: Sylpheed version 1.9.9 (GTK+ 2.6.7; i386--netbsdelf)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at cs.utk.edu by ClamAV and McAfee
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Content-Transfer-Encoding: 7bit
Cc: moore@cs.utk.edu, ietf@ietf.org, iesg@ietf.org
Subject: Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
> Keith> previous mistakes are not valid justifications for new > Keith> mistakes. previous accidents are not valid justifications > Keith> for deliberately weakening new products. > So, that's certainly true. but I can see two points. > > 1) There is an existing somewhat broken rc4 cipher in the ssh > standards-track document. This spec proposes to replace that > cipher with one that is much less broken. Why should that be > a lower level of standardization than the existing cipher? It shouldn't. But there's no reason that the existing specification cannot be reclassified as Historic at the same time as the new specification is approved for whatever classification seems reasonable. There's also no reason that an applicability statement cannot be written (preferably as a separate document) that explains the reasons for the status of each dialect of rc4, and the risks vs. benefits of using each dialect of rc4. (other than, perhaps, it's awkward for IESG to originate such statements, and even more difficult to get consensus on such statements than for ordinary specifications) Note that I'm not specifically recommending that the new rc4 document not be standards-track, nor am I specifically recommending that the existing documents should be reclassified as non-standards-track. I am saying that the fact that the "existing arcfour cipher is part of a standard and that many other IETF protocols use rc4 in standards track documents" is not a justification for making the new document a standard if it doesn't meet our technical criteria. Nor is it a justification for keeping the old documents at standards-track if they no longer meet our technical criteria. Keith p.s. Part of the problem, I suspect, is that the standards-track vs. non-standards-track bit is overloaded (in practice) to be both a "recommendation" bit and a "this meets our technical criteria" bit. There are times that we'd like to recommend protocols and practice that don't meet our normal criteria for standards-track. There are also times that we want to make standards for protocols even we don't specifically recommend their use. But we have a difficult time doing that because we know that in practice anything we label as "standard" will be taken as if it is recommended. _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- draft-harris-ssh-arcfour-fixes-02: informational … Sam Hartman
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Keith Moore
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Simon Josefsson
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Sam Hartman
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Steven M. Bellovin
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Keith Moore
- Re: [saag] [Sam Hartman] draft-harris-ssh-arcfour… Jeffrey Altman
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Sam Hartman
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… william(at)elan.net
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… william(at)elan.net
- Re: [saag] [Sam Hartman] draft-harris-ssh-arcfour… Brian E Carpenter
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Bill Sommerfeld
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Ben Harris
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Ben Harris
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Ben Harris