Re: Last Call: Telnet Authentication Option to Proposed Standard
Harald Tveit Alvestrand <Harald@Alvestrand.no> Wed, 24 November 1999 07:20 UTC
Received: by ietf.org (8.9.1a/8.9.1a) id CAA28313 for ietf-outbound.10@ietf.org; Wed, 24 Nov 1999 02:20:04 -0500 (EST)
Received: from dokka.maxware.no (dokka.maxware.no [195.139.236.69]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA23489 for <ietf@ietf.org>; Wed, 24 Nov 1999 02:11:17 -0500 (EST)
Received: from alden ([10.128.167.143]) by dokka.maxware.no (8.9.3/8.9.3) with ESMTP id IAA20332; Wed, 24 Nov 1999 08:11:04 +0100
Message-Id: <4.2.0.58.19991124075517.04c6b890@dokka.maxware.no>
X-Sender: hta@dokka.maxware.no
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
Date: Wed, 24 Nov 1999 08:02:49 +0100
To: jaltman@columbia.edu
From: Harald Tveit Alvestrand <Harald@Alvestrand.no>
Subject: Re: Last Call: Telnet Authentication Option to Proposed Standard
Cc: tytso@MIT.EDU, joda@pdc.kth.se, ietf-cat-wg@lists.stanford.edu, ietf@ietf.org
In-Reply-To: <CMM.0.90.4.943396540.jaltman@watsun.cc.columbia.edu>
References: <Your message of Tue, 23 Nov 1999 23:18:59 +0100>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
At 17:35 23.11.99 -0500, Jeffrey Altman wrote: > > Protocols that offer increased complexity but no gain in security or > > efficiency over other standards-track efforts, but are in use today, are > > IMHO excellent candidates for Informational publication. > > > > Not for the standards track. > >I think the point of this debate is whether or not there is added >strength to the encryption. And so far the opinions have been >divergent. If 3DES is a better PRNG than DES then it is stronger. Indeed. Or rather: If draft-altman-telnet-enc-des3-[cfb,ofb] describes a mechanism where the best known attack is (significantly)more difficult than the best known attack on draft-tso-telnet-enc-des-[cfb,ofb], it should go to Proposed Standard (and the shoe is on the other foot; the -des- ones shouldn't go forward to Proposed, since DES-protected data is known to be vulnerable to brute force attacks). >As we point out in the Drafts, the telnet encryption stream mechanism >is susceptible to attacks. We know that. We have addressed it in >various ways. Unfortunately, the Telnet AUTH option implementations >for Kerberos 4, Kerberos 5, and Secure Remote Password all rely on the >Telnet Encryption option for privacy. I don't think it is appropriate >to send Telnet Auth to Proposed Standard with its reliance on an >option that is Informational. Hence, the desire for all of these >drafts to go to Proposed Standard. I'm not at the moment questioning whether draft-tso-telnet-encryption-04.txt should go to Proposed; the question hasn't been raised. I'm questioning the arguments for letting draft-altman-telnet-enc-des3-cfb-01.txt and draft-altman-telnet-enc-des3-ofb-01.txt should go to Proposed. >The TN3270 WG is working on a Telnet over TLS draft which has seen >several independent interoperable implementations for TN3270 and well >as more traditional telnet. My hope is to integrate Telnet over TLS >with Telnet AUTH so that Telnet AUTH may be used to provide mutual >authentication via a TLS using an ADH cipher. The one problem I have >run into is that the TLS Library vendors (other than OpenSSL) have >been very resistent to exporting the contents of the Finished messages >to the application so that they may be used in the Telnet Auth >negotiation to provide mutual authentication of the TLS. Once this >draft goes to Proposed Standard I would recommend that the Telnet >Encryption option be moved to Historical. But until that happens we >need it on the standards track. > >These drafts have been floating around the net for almost eight years >with many implementations. Its time for them to move on. If it is possible to satisfy RFC 2026 para 4.1.1: A Proposed Standard should have no known technical omissions with respect to the requirements placed upon it. However, the IESG may waive this requirement in order to allow a specification to advance to the Proposed Standard state when it is considered to be useful and necessary (and timely) even with known technical omissions. Yes. Harald -- Harald Tveit Alvestrand, EDB Maxware, Norway Harald.Alvestrand@edb.maxware.no
- Re: Last Call: Telnet Authentication Option to Pr… Johan Danielsson
- Re: Last Call: Telnet Authentication Option to Pr… Jeffrey Altman
- Re: Last Call: Telnet Authentication Option to Pr… Johan Danielsson
- Re: Last Call: Telnet Authentication Option to Pr… Jeffrey Altman
- Re: Last Call: Telnet Authentication Option to Pr… Othon Kamariotis
- Last Call: Telnet Authentication Option to Propos… Othon Kamariotis
- Re: Last Call: Telnet Authentication Option to Pr… tytso
- Re: Last Call: Telnet Authentication Option to Pr… Johan Danielsson
- Re: Last Call: Telnet Authentication Option to Pr… Harald Tveit Alvestrand
- Re: Last Call: Telnet Authentication Option to Pr… Jeffrey Altman
- Re: Last Call: Telnet Authentication Option to Pr… William Allen Simpson
- Re: Last Call: Telnet Authentication Option to Pr… Harald Tveit Alvestrand
- Re: Last Call: Telnet Authentication Option to Pr… Assar Westerlund
- IP network address assignments/allocations inform… Pete Loshin
- Re: IP network address assignments/allocations in… Henning Schulzrinne
- RE: IP network address assignments/allocations in… David Newman
- Re: IP network address assignments/allocations in… Bill Manning
- Re: IP network address assignments/allocations in… Henning Schulzrinne
- Re: IP network address assignments/allocations in… Randy Bush
- Re: IP network address assignments/allocations in… Brian E Carpenter
- Re: IP network address assignments/allocations in… Randy Bush
- Re: IP network address assignments/allocations in… Marc Blanchet
- Re: IP network address assignments/allocations in… Christian Huitema
- Re: IP network address assignments/allocations in… Perry E. Metzger
- IETF planning Dave Crocker
- Re: IP network address assignments/allocations in… Yakov Rekhter
- Re: IP network address assignments/allocations in… Jon Crowcroft
- Re: IP network address assignments/allocations in… Bill Manning
- Re: IP network address assignments/allocations in… Steve Deering