Re: Call for Community Feedback: Retiring IETF FTP Service

Keith Moore <> Tue, 17 November 2020 05:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1913E3A0DF3 for <>; Mon, 16 Nov 2020 21:25:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id j_Ogj05griD0 for <>; Mon, 16 Nov 2020 21:25:12 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D9C663A0DEE for <>; Mon, 16 Nov 2020 21:25:11 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id D58055C0220; Tue, 17 Nov 2020 00:25:10 -0500 (EST)
Received: from mailfrontend1 ([]) by compute3.internal (MEProxy); Tue, 17 Nov 2020 00:25:10 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=jlKs3JE42Pgg/WuKKd32c7Jev+1+3DPnoDfcEhtsW 9U=; b=l9KX50gQirGPMy23Dbk/47W6DzZPNusvYOBedPnhYvP3iuB+DzB1tuKc4 HGtHleAsXlBI86caZ7QTv6ABEbmzHzulntrMfbNG7k3zKrDvhWe2JKtrzg/6hnSg Yd27RIDsMzt0JbDSZjphS0+YMZyjHvT/9oQ998k8rDpJeTdpjuvK/9hTca/HTyXa iwwstILjKN56bDRC4soA5vDWiRxpQgxBDJC5JAk2Cz6tDDrTfq9GWCW5zYCnuVkv vOXBmxzeNwIcLateOBBEfQJA1KWZsDsqHXK322HI78LYaqQZ/f/VWHq2w5djifYp SoV9paKLu8rfNsQE00P1P7WE0vGhg==
X-ME-Sender: <xms:tl6zXxCHjGgCbxE8Esbn0qeIg86qiWhyxFJCMHbsxFbyLmmFJFJnCg> <xme:tl6zX_j942_djrmUhbM36A8i1hk7iMnuA95sCCvbrGXZWZgOAd3JXPmXtKz00ZrvJ 8-0QQ8VDA04fA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudefvddgjedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepuffvfhfhkffffgggjggtgfesthekredttdefjeenucfhrhhomhepmfgvihht hhcuofhoohhrvgcuoehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh eqnecuggftrfgrthhtvghrnhephefhuedtheefgfefgffhkeehgfeugfeiudeugeejkeef leelueeiffetfeeuudeunecukfhppedutdekrddvvddurddukedtrdduheenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvght fihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:tl6zX8lKQKKZjFKXY98H3f-kNqYyUcRfoT_YdS_DD6VZ7xPPgVP-8w> <xmx:tl6zX7zZv1wcbJVZgRZ9IT_K7yfuK9-AUkHVVdWbrzQejC32L4aqRA> <xmx:tl6zX2Rh4tgusqYsF2vC_AAMg75FoKCiMwnTQ-ZUu29mxY_5V_FGbg> <xmx:tl6zX9P3vDMuKtTAGfMQS3qjHExWJMiaMcDUG_zjMbWyWo3EKZp5sA>
Received: from [] ( []) by (Postfix) with ESMTPA id 0F65E3280068; Tue, 17 Nov 2020 00:25:09 -0500 (EST)
Subject: Re: Call for Community Feedback: Retiring IETF FTP Service
To: Daniel Migault <>, Adam Roach <>
Cc: IETF Discussion <>
References: <> <> <> <> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Tue, 17 Nov 2020 00:25:07 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Nov 2020 05:25:13 -0000

On 11/17/20 12:03 AM, Daniel Migault wrote:

> Putting opex aside, it seems to me that modern communications need to 
> be at least authenticated so ftp cannot stay as it is. I might be 
> missing something, but switching ftp to https seems to me quite 
> straight forward and at least much easier than switching to sftp or 
> ftps. Given the support of https versus ftp, I also believe reducing 
> the surface of attacks and relying on probably better maintained code 
> is probably a good switch. I believe that switching to https is a good 
> move

What I'm seeing are a lot of handwaving arguments and very little 
detail, and a lot of arguments of the form "it's quite straightforward 
for all clients to rewrite their code so we don't have to run a single 
additional server".

Sure, it's possible to use webdav instead of FTP, but I am not convinced 
that results in lower opex and it definitely requires significant 
changes on the part of clients.

By "authenticated" you're only talking about authenticating servers to 
clients.   That's not useless but I'm not aware of significant efforts 
or likely efforts to substitute bogus RFC content for genuine RFC content.