Re: Use of "unassigned" in IANA registries

[Phillip Hallam-Baker <hallam@gmail.com>]

On Fri, Jan 14, 2011 at 5:06 PM, Martin Rex <mrex@sap.com> wrote:

> Phillip Hallam-Baker wrote:
> >
> > The illusion of control is comforting to some but it is an illusion. At
> the
> > end of the day the IETF has roughly 2000 people involved. Nobody elected
> us.
> > We are accountable to no-one.
>
> I assume the number of IETF contributors is more like 5000-10000.
>
> >
> > The Internet has 2 billion users. We do not accept accountability to
> those
> > users. We cannot even understand what their requirements might be. And
> even
> > if we did, we may well reject them out of hand.
>
> Everybody can get involved with the IETF and although some working groups
> may have superseded rough consensus by voting these days, there are still
> significant numbers of contributors involved in the IETF with non-marginal
> levels of dignity about the technologies they are creating.


It is hard to imagine any structure that could provide for significantly
more than one person in a million being involved in the IETF.

We can face that fact or we can pretend that it doesn't matter and that we
can have power without accountability, I believe Rudyard Kippling's quote on
that topic was on point.


> The first cost is the cost of maintaining the registry. Assigning code
> > points requires an administrator, it frequently requires expert review.
> > That incurs time and money.
>
> You are asserting here that by _not_ using an IANA registry, but instead
> relying on ASN.1 OIDs, suddenly the use of DSA with MD4 for a digital
> signature obiviates expert review and becomes technically sound?
>

No, the proliferation of cryptographic algorithms is a bad thing in and of
itself.

In the past it was believed that having a backup algorithm was a good thing.
Then we discovered that in fact the security of a scheme is usually
determined by the least secure algorithm supported rather than the best and
that adding a backup algorithm merely created additional opportunities to
crack the system.


We should not therefore be in the business of expertly reviewing any crypto
unless we believe it to be a significant improvement on the existing
algorithms.

Your straw man case of DSA with MD4 is easy to reject. But what would be the
acceptance conditions?

>From a protocol standpoint the correct response is arguably to reject every
application. But doing that is impossible as the GOST case demonstrates. If
the IETF had not assigned the code points then they would have been assigned
by the GRU.


We cannot stop people from shooting themselves in the foot and we should not
try either.


>
> The assignment of a code point itself is a cost infinitesimal close to
> zero.  No matter how you look at it, at the abstract level there is
> no difference between an IANA code point assignment for something
> and the assignment of an ASN.1 OID or an URIs by some organization.
>

>From a political standpoint it is totally different. Assignment of an IANA
code point is an IETF endorsement no matter how many caveats we attempt to
apply.

The cost of expert review is non zero.



> With an IANA registry, the IETF can (and should) enforce free availability
> of the relevant specifications plus at least availability of RAND
> conditions
> for the surrounding (known) IPR claims


Nonsense.

If the IETF refuses to issue code points people will issue them themselves.
That was the original observation at the start of this thread.


-- 
Website: http://hallambaker.com/