[openpgp] On guidance to IANA Designated Experts
Benjamin Kaduk <kaduk@mit.edu> Fri, 29 July 2022 16:27 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332A6C157903 for <openpgp@ietfa.amsl.com>; Fri, 29 Jul 2022 09:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CZjPyZwZ_IQT for <openpgp@ietfa.amsl.com>; Fri, 29 Jul 2022 09:27:23 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42233C14CF1D for <openpgp@ietf.org>; Fri, 29 Jul 2022 09:27:22 -0700 (PDT)
Received: from kduck.mit.edu (c-73-169-244-254.hsd1.wa.comcast.net [73.169.244.254]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 26TGRCMd013854 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <openpgp@ietf.org>; Fri, 29 Jul 2022 12:27:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1659112040; bh=2VcD+pkPiQFVJa0mORTXSqDqgfD2S25GA8dEv4K0pl8=; h=Date:From:To:Subject; b=lzyjCerMON3FKcR2dtCTDTgq55CQuMcOJOBePdWoBbQXL08WZDkJA84agU5EBYgNt 5NsKHimqjSa4RgcI4HPYlXrkUlGZzHuRp/pCcPoYPUfUVaOPWRSuD92ZUuzmrQG1BH y7K2w1tgcPEMPNsfRjGzBSsy/KupoUKyJryZld9EGI9zrg7LIny5pd3b23TJl1Yfa0 XBf8dFjoAfDsFqknYEfMDooOdIHprev7Jb1CA6AFtRSBLDU8TFnxUX3pxd+wILYGBz Ef6VHMKyKEFQKVoYiCyx9PPGXMRBuOJAFiWN35dt52aVGIkgEyRjEkROmCu+Aw9vR8 l4m2EPj4hILUA==
Date: Fri, 29 Jul 2022 09:27:12 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: openpgp@ietf.org
Message-ID: <20220729162712.GL30255@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/3w9bwStWx4NMjvMUiOkVgvNNJlI>
Subject: [openpgp] On guidance to IANA Designated Experts
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 16:27:27 -0000
Hi all, We had some discussion in today's session about the changes to the IANA registry policy currently proposed by the crypto-refresh draft (in particular, moving most registries from IETF Consensus to Specification Required policies, see RFC 8126 for the actual procedures). Tero and I both indicated that the Specification Required policy requires the presence of a Designated Expert, and that we should give some guidance to the expert on what they should (or shouldn't) be looking for, and dkg asked if I could send some thoughts to the list. (An abbreviated of this form also went to the in-meeting zulip chat.) I'm functioning as ghost-editor for draft-ietf-cose-rfc8152bis-struct and -algs, which has some fairly extensive guidance to the experts on their role in the ecosystem. https://datatracker.ietf.org/doc/html/draft-ietf-cose-rfc8152bis-algs-12#section-10.4 covers things like avoiding codepoint squatting and vanity registrations, requiring that the specification is actually useful, and requiring that algorithms meet the security requirements of the community and the message structures for which they are proposed to be used. It also notes that experts are being designated experts for a reason, and thus that they should be given substantial latitude. This is not the only approach that can be taken in terms of guidance to the experts (though for OpenPGP I prefer this approach). A contrasting picture is given by QUIC, https://www.rfc-editor.org/rfc/rfc9000.html#name-permanent-registrations where the experts are mostly tasked with verifying that a specification exists and is readily accessible (not necessarily that it's useful or complete). The default procedure seems to be "shall-issue", with a narrow list of reasons to block a registration. This is appropriate in a registry where there's like 2^62 possible values and not much benefit from restricting registration, but not all registries are in that situation. The situation for "provisional registrations" (a few sections previous) is even more open, with the only reasons to reject a provisional registration are "for an excessive proportion of remaining codepoint space or the very first unassigned value" In short, I feel pretty strongly that we should provide guidance to the experts, and while I would prefer some "COSE-like" guidance, the WG consensus should determine what we put in the document. -Ben
- [openpgp] On guidance to IANA Designated Experts Benjamin Kaduk