Re: [sasl] MOGGIES Proposed Charter

Nicolas Williams <Nicolas.Williams@oracle.com> Fri, 21 May 2010 23:11 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A0F13A6A99; Fri, 21 May 2010 16:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.133
X-Spam-Level:
X-Spam-Status: No, score=-4.133 tagged_above=-999 required=5 tests=[AWL=-0.135, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZYosepT0Q2B; Fri, 21 May 2010 16:11:05 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 41D883A6A95; Fri, 21 May 2010 16:11:05 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4LNAtqU011778 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 21 May 2010 23:10:57 GMT
Received: from acsmt355.oracle.com (acsmt355.oracle.com [141.146.40.155]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4LMbYaK022976; Fri, 21 May 2010 23:10:55 GMT
Received: from abhmt006.oracle.com by acsmt355.oracle.com with ESMTP id 289445551274483346; Fri, 21 May 2010 16:09:06 -0700
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 21 May 2010 16:09:05 -0700
Date: Fri, 21 May 2010 18:09:00 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Tom Yu <tlyu@mit.edu>
Subject: Re: [sasl] MOGGIES Proposed Charter
Message-ID: <20100521230900.GF9605@oracle.com>
References: <20100518191521.GL9429@oracle.com> <201005202238.o4KMcML6028897@fs4113.wdf.sap.corp> <20100520225647.GX9605@oracle.com> <ldvy6fc3mg8.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ldvy6fc3mg8.fsf@cathode-dark-space.mit.edu>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Auth-Type: Internal IP
X-Source-IP: acsinet15.oracle.com [141.146.126.227]
X-CT-RefId: str=0001.0A090201.4BF71302.002B:SCFMA922111,ss=1,fgs=0
Cc: kitten@ietf.org, tim.polk@nist.gov, sasl@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2010 23:11:07 -0000

On Fri, May 21, 2010 at 06:43:35PM -0400, Tom Yu wrote:
> Yes, this means that you may have to revise the numeric "security
> strength" that you report for a given cryptographic association as new
> cryptanalytic attacks are discovered, but you would have to do that
> anyway with a non-numeric method of reporting "security strength".

Yes, but that way we get to also have policy names, both, standard and
locally-defined, as the interface _for users_.

Let me refine my problem with numeric measures of cryptographic strength
in APIs.  There are two.  First, what's better in a UI (I'm betting API
particulars will leak into UIs)?  Second, do we want to encourage users
and/or developers to make relative cipher suite strength comparisons?

Looking at it from a UI perspective I'd rather have UI-friendly security
strength indications than numeric ones.  One might argue that numeric
measures of strength are what users are used to, and there's no sense in
trying to change that.  Is anyone up for that argument?

Nico
--