Re: [kitten] AD review of draft-ietf-kitten-krb-spake-preauth-06

[Benjamin Kaduk <kaduk@mit.edu>]

On Tue, Apr 28, 2020 at 07:53:31PM -0400, Robbie Harwood wrote:
> Greg Hudson <ghudson@mit.edu> writes:
> 
> > Ben sent feedback on the SPAKE preauth draft a little over a year ago.
> > I deferred acting on the smaller feedback items at the time, while
> > observing the CFRG's progress on PAKE algorithms.
> >
> > The CFRG has selected CPace over SPAKE2 for a balanced PAKE.  As such
> > I doubt there will be a need for a CFRG SPAKE2 document.  At this time
> > I don't think there would be sufficient interest in retooling the
> > Kerberos preauth mechanism for CPace, or making breaking changes.  I
> > have prepared changes to draft-ietf-kitten-krb-spake-preauth to drop
> > its dependency on draft-irtf-cfrg-spake2, instead referring
> > informatively to the Abdalla/Pointcheval paper and describing the
> > group operations explicitly.
> >
> > These changes, as well as updates addressing the smaller feedback
> > items, are at
> > https://github.com/greghudson/ietf/commit/6ecf1b9dfacc804692d858c726888855a512b8b7
> > .  I will update the draft unless it seems like there isn't WG
> > consensus on this direction.
> 
> Appreciate you being proactive about picking up work on SPAKE again.
> 
> > Some responses to a few of the smaller feedback items:
> >
> > On 4/4/19 7:58 PM, Benjamin Kaduk wrote:
> >>
> >> In addition to potentially allocating a new value for the RFC version
> >> of this spec, we probably also want to say a bit more about the
> >> registration procedures.  Should requestors send the request directly
> >> to the list, or to IANA first and IANA sends to the list?  Is the
> >> list publicly archived (and can anyone sign up as a member)?
> >
> > I'm a little lost here.  The mailing list was Nathaniel's idea and I am
> > not attached to it.  There are hundreds of IANA registries; it seems
> > like we should be picking from a few best practices for update
> > procedures rather than breaking ground.
> 
> CCing Nathaniel - anything to add?
> 
> I accept some of the blame for this - I think I wrote the language - but
> the mailing list was Nathaniel's request.  I believe I modeled what it
> specifies after RFC 7517 (there's no particular reason for that one,
> just what we happened to be working on at the time).
> 
> Is it normal for requests to be sent to IANA at all when Designated
> Experts are used?  Is the mailing list registration normally specified
> in this fashion?  I can't find anything in RFC 8126 about it, but I'm
> happy to make changes / accept changes to this document regardless.

I think that the mailing list thing gained traction with a group of folks
in the OAuth community and expanded through to JOSE+JWT and then the IoT
analogues (COSE+CWT), at which point it was large enough that other
unrelated groups started picking up on it (including TLS).  There's nothing
that requires having a mailing list, though it does give the community some
visibility into the workings of the DE review process (as well as,
depending on list permissions, a way to get notified about pending
allocations).

That said, the default behavior you get for a registry if you don't say
otherwise, is that IANA is the first point of contact.  That is, you ask
IANA to allocate a value (usually via a webform), and behind the scenes
IANA goes off and talks to the Experts, before acting on the decision of
the Experts.  Sometimes IANA has to relay questions and answers back and
forth and it feels a bit silly, but that's the way it's historically been
done.

As a couple examples, RFC 7519 (JWT) creates jwt-reg-review@ietf.org, and
https://datatracker.ietf.org/list/nonwg lists a few more.  I don't think
there is a perfect example yet of what text to use in the RFC when using
this sort of review process, though -- the examples that come to mind still
leave some ambiguity about what requestors and IANA are supposed to do.

-Ben