IETF Logo Mail Archive

Re: [kitten] Murray Kucherawy's No Objection on draft-ietf-kitten-krb-spake-preauth-11: (with COMMENT)

Nico Williams <nico@cryptonector.com> Sat, 20 January 2024 16:46 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00F11C14F618; Sat, 20 Jan 2024 08:46:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_bCVB9VU71v; Sat, 20 Jan 2024 08:46:43 -0800 (PST)
Received: from slateblue.cherry.relay.mailchannels.net (slateblue.cherry.relay.mailchannels.net [23.83.223.168]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0DADC14F60A; Sat, 20 Jan 2024 08:46:42 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4DEDA6C26E8; Sat, 20 Jan 2024 16:46:42 +0000 (UTC)
Received: from pdx1-sub0-mail-a223.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id BAFCB6C26D7; Sat, 20 Jan 2024 16:46:41 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1705769201; a=rsa-sha256; cv=none; b=ioeHqCq2E9ylVXiH1cC3p0nX2imdEFFRmnsEk5aO15vtWZejmusE2C1oxUpxncL/Tbh1mw RV+gVIEOyxnSmW0I70BCbGBVzSmS4Z5llKUtaYZs8gFGBulfRlAJAYJSFhLjRp5e99I1XH SnG8b8vQrIu81m3pwXziRT25va38Fxerq+TilXEPXGWqLd8BRJhep3eE1z1sNUkC9CeWfy davSWBEKEGel7KsNDOqXFIT/XE6bG25iWUt+XSr2i0YQ8jXBvNEXccciADxeics6BmYUxS VycWwUe788LIWxC42sT5siiCjsRApdacqR9CqqRFwattyssVOildav8iI0wuTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1705769201; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=r9YLbcKGa5xDAnhmm+81lft7jSXWNvdOSYgg9ZMkdQ0=; b=OFrild99p47F+qNRyOljqQQRZXTWolwCZ36UWXL5IAg8LxHA/vbu13oiNO8eFxhQlng6bm qMGSpX7IYm2jtKGZC2W19+58OlnmTKezD3IPfxf2QpyCb0EgiwA86C3oNIqMqoNgKmPmaI 8xx+wss3NstUllhid6sUSWHh6yNlHNJrTvVgwSg617Ho50jfzyJsImm9AUwIfGI6E230j4 n2lHEAVi+b6gAnbNPzSJCs+6hZbszSnTxV5pD29bjyquoOTy9NfskZ+i0jKdVmAGkqMKEF 3FNEAzt8vGd+quXrjIb9twvEiSms6AaKiu9i+cE1GhYXbLq60r06PrNhUZRwYQ==
ARC-Authentication-Results: i=1; rspamd-568947cb6c-qzl4z; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Tank-Stretch: 5ca96cb107f486f9_1705769202072_3103524018
X-MC-Loop-Signature: 1705769202072:3769500978
X-MC-Ingress-Time: 1705769202072
Received: from pdx1-sub0-mail-a223.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.107.169.103 (trex/6.9.2); Sat, 20 Jan 2024 16:46:42 +0000
Received: from ubby (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a223.dreamhost.com (Postfix) with ESMTPSA id 4THMnr6421z2Y; Sat, 20 Jan 2024 08:46:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1705769201; bh=r9YLbcKGa5xDAnhmm+81lft7jSXWNvdOSYgg9ZMkdQ0=; h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding; b=DAUn1X65q6gJ01MsVx+P/fWxJlDKdCVWq6c+MnlP4EweVCQ28iWhtuL63R/uEX3rm UyatmjWudS/De+ol+Kom39jv3wOIL/XaKc6wIDFrOZYHvz7HZy3KTtUeoMQU4eMr8w P8i09+Dt8fznRLOGd7dUpyKac0xh4I3k4pvt9rYv1dgfDDT1MCeZ51wNhFPIZ3TsCq OyTXeEUH9ud+6s1q9OlZ1KTVZoSKszesCQmIDoFQP5rMocBL7XeajVz7sR6xF3MAdf iRGQkkrlsIpX2yhBMUsQKokHDswEKzky0xNAQdbl8b0uq1Y4vyVBisQvHTUPOOWYho iS1kAc0LAJ9Gg==
Date: Sat, 20 Jan 2024 10:46:38 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: Greg Hudson <ghudson@mit.edu>, The IESG <iesg@ietf.org>, draft-ietf-kitten-krb-spake-preauth@ietf.org, kitten-chairs@ietf.org, kitten@ietf.org
Message-ID: <Zav47pSFM0Y/r+wJ@ubby>
References: <170559100930.21281.8142882686300667918@ietfa.amsl.com> <d5d9e798-c6c1-4f15-a1f2-4e08580a70c4@mit.edu> <CAL0qLwZUOepsqoGY+kb5tB8CBc=EOYAtoSXk35XAMD4LF5Hw8w@mail.gmail.com> <ZaoDKjMhV3g1w4pp@ubby> <CAL0qLwbueeYOCQSgapa6yx1DzbXLYXuNUMzUvH3m1X-LzaNNxA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAL0qLwbueeYOCQSgapa6yx1DzbXLYXuNUMzUvH3m1X-LzaNNxA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ezMoboGWCaQgV4NAQ9DQx2gDbJs>
Subject: Re: [kitten] Murray Kucherawy's No Objection on draft-ietf-kitten-krb-spake-preauth-11: (with COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jan 2024 16:46:47 -0000

On Fri, Jan 19, 2024 at 10:39:32PM -0800, Murray S. Kucherawy wrote:
> On Thu, Jan 18, 2024 at 9:05 PM Nico Williams <nico@cryptonector.com> wrote:
> > I-Ds expire, yes, but they are not deleted, neither from the Internet
> > nor from the IETF I-D archive.  I-Ds are versioned, and each version is
> > "stable".  I believe an I-D counts as "specification exists" under RFC
> > 2434.
> 
> RFC 2434 was obsoleted a long time ago, as was its successor.  RFC 8126 is
> current.

Yes, but none of this changed materially.

> If I'm an implementer following a link from an IANA registration to an I-D,
> but then there's a big colorful warning that the I-D is expired, wouldn't
> it be reasonable for me to believe that the registration, the document, or
> both are no longer valid?  This seems really strange to me.  I would expect
> to find a link to something current.

What that situation would mean is this: the registration is valid, the
I-D is expired, and you have to go figure out whether the registered
elements are in use in the wild.  Some of the registrations in that
registry don't even have any specification, so the ones for which an I-D
is listed are a lot easier for implementers to understand that the ones
for which an I-D is not listed.

But this registry is Expert Review, which means NOT EVEN any
specification is needed, not even an expired I-D.  Would you rather that
IANA delete the reference to the expired I-D and make things even harder
for implementers?  Surely not!

> Should we deregister something if it references an I-D that expires?  Or

Oh.  You want the registration removed.  But if the registration didn't
have a specification then that would be ok?

If you want to break the IETF and make it irrelevant then by all means
do just this.  Write an I-D directing IANA to do this, get it published,
then have IANA do this.  Even better, forbid new allocations w/o RFCs.
Then watch camping and collisions happen.  Fortunately you will never
obtain IETF consensus for this.

Sometimes I-Ds don't progress but their implementations remain in use.
What can you do about that?  I don't know.  But everything you've
proposed would make things worse, not better.

> maybe it should seek publication via the ISE instead if the WG drops it?

You can't make the IETF publish RFCs when there's no energy to do it.

Someone has to pay the salaries of the authors and editors and reviewers
and shepherds and ADs who will push a semi-abandoned I-D across the
finish line.  There is also the opportunity cost of not having them do
something more productive.

> Or something?

Sometimes there's nothing good to be done.

The cost of "stale" registrations in large namespaces is near zero.
Leave it be.

> > Many Internet protocols require IANA registry allocations prior to RFC
> > publication for good reasons:
> >
> >  - publishing an RFC just to obtain an allocation for a work-in-progress
> >    is impractical
> >
> >  - not having allocations prior to publication greatly complicates
> >    testing and soaking
> >
> >  - private use namespaces do work, but then when upon publication
> >    _different_ allocations are obtained there then arises an upgrade
> >    problem in the field that may not be trivial to manage
> 
> There's another practice I've seen commonly used: Allow registrations to be
> "provisional", which are First Come First Served so it's trivial to get an
> experimental code point or reserve one, and then allow them to become
> "permanent" with Specification Required or similar.  Would that work here?

No, it wouldn't.  Again, once the document gets published as an RFC you
(right?) would have the IANA allocate NEW non-provisional code points,
and then we would have a migration problem, with large attendant costs.
Do you want to force pointless, unnecessary costs on the industry?

> > It's not just Kerberos, but TLS and others, that have used I-Ds as
> > "specifications".
> 
> This isn't making me feel better.  :-)

It should absolutely give you pause, yes.  Chesterton's fence and all
that.  Before you change something that has been so for decades, and
which has been revised in that time, maybe you ought to educate yourself
on how it got to be that way and think about how the IETF would function
with the changes you have in mind.

> I don't think I'm disputing the registration policy you've chosen.  I'm
> disputing whether we should consider an I-D to be "stable".

They don't get removed from the archive.  Therefore they are "stable".

"Expired" doesn't mean "gone", "deleted".  It means that if you want to
be able to discuss the I-D productively in a WG or in the IETF as a
whole, then you need to submit a new version.  This is wise: a number of
things may have changed that require changes to the I-D in order to
progress it, and making the authors edit it and resubmit it is a good
idea.

Nico
--

v2.23.0 | Report a Bug | By Email