IETF Logo Mail Archive

[saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt

Simon Josefsson <simon@josefsson.org> Thu, 14 November 2024 20:26 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6368AC14F6F4; Thu, 14 Nov 2024 12:26:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="7iF7v4Gd"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="ggX6jgcw"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-xozbjwmxXe; Thu, 14 Nov 2024 12:26:37 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A586C14F5EA; Thu, 14 Nov 2024 12:26:36 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=qrr2pHSjGzOt+kHkTsuNHWHCtaAyUWqPBeY8S28xKfc=; t=1731615993; x=1732825593; b=7iF7v4Gd782fAIU6ufUqw4sildnqzvGxTSREPqpfWFfn9T/YeMtsDvqtmcCKiXhozdLF1gAwE/M UX4LKegM+Dw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=qrr2pHSjGzOt+kHkTsuNHWHCtaAyUWqPBeY8S28xKfc=; t=1731615993; x=1732825593; b=ggX6jgcw+IJi7h3PTQLfE7DgP6KoD9xLw3qt4HUrUKpGOMUuOCWhAXmRiGdoBAEPhq6EqT29fQq AcdYsSxQQbh/PUNtzh37+CDVhHaAA0yPbKBNWwLJVF4rNzCrhQIbN+LDh1s+xTA5X3MrnlhrKsxT9 HoBowvCm7IdJf6vGG1GBICY35jwQoSItMZwcw+0fhcq3KHRAXAQa2NtboOkMTTSSbTFiewVhZtssc 79RFeJCyELwbtniuUW6n6xBFmx6roy8AqGdfEtDz1Mj/M3pKkE1euZNJvt/Kp+ZdbeVLLljvrBL8p 4S1XKU/tqPWjvV7Y46A5RXwMKAyC4YscB2aYah0tptjRGA406wt8MK5jDCECusuM/vmIbLPWt1H4+ zPU9fNUsc5hDldyV7exZWv1uimgo/jTPRctVYTqnNcaLA3yKJzy1oVkHGZk0XR5PNQ7swXjlQ;
Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:37312 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1tBgQC-00GvIq-ID; Thu, 14 Nov 2024 20:26:32 +0000
From: Simon Josefsson <simon@josefsson.org>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
References: <BE95E617-C929-43BA-BB40-41E189A8158B@akamai.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:241114:simon=40josefsson.org@dmarc.ietf.org::S8/9LhT+Otcim8H/:FvQ7
X-Hashcash: 1:23:241114:rsalz=40akamai.com@dmarc.ietf.org::ZyezIALuG4x29lqH:JAIn
X-Hashcash: 1:23:241114:saag@ietf.org::5tdI8K70eZOzPYfG:iF6Z
Date: Thu, 14 Nov 2024 21:26:42 +0100
In-Reply-To: <BE95E617-C929-43BA-BB40-41E189A8158B@akamai.com> (Rich Salz's message of "Thu, 14 Nov 2024 15:26:48 +0000")
Message-ID: <87ldxl5zp9.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID-Hash: YNEVUJCGKOHNUPQ7QMTIUWAHO75CCCVR
X-Message-ID-Hash: YNEVUJCGKOHNUPQ7QMTIUWAHO75CCCVR
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: saag@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/-sgrqz7domx6_A_h4IBljzDzFbA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

"Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org> writes:

>>What problem are you trying to solve with this document?
>>Could we start with a problem statement?
>
> It was discussed during SAAG.  See the tail end of the chat at https://zulip.ietf.org/#narrow/stream/337-saag

That link leads to a login prompt that requires me to run remotely
controlled JavaScript code in my browser.  Is the chat publicly
archived?  Wouldn't it be nice if things had to be "permanent and
readily available" to be used as reference material? :)

>> To me, it seems like an attempt to generalize a policy that risk
> i> ncreasing the downward angle of the slipper slope towards rejecting all
>>crypto that isn't controlled by NIST.
>
> This greatly concerns me.  Can you tell why you think it encourages
> that?  Because I am strongly opposed to that.

Good.  I don't claim the document encourage rejecting non-NIST crypto,
but I think the document may be a useful tool for people who want to
delay deployment of strong non-sanctioned crypto.  The document suggests
"Specification Required" for all registries.  This is a limitation
compared to broad set of different policies allowed by RFC 8126.
Limiting the registration policies is one method to make it harder for
people to interoperate protocols with non-blessed crypto.  In my
perception, this aspect was used to delay publication of 25519 and
currently ssh-ntruprime.  While good arguments may exist for
"Specification Required" in some protocols, I don't follow why this is
necessarily the right thing for all protocols.  The
First-Come-First-Serve policy for SASL mechanisms have worked fine, and
allow experimentation with non-blessed crypto if people care to do so.

/Simon



>
>> I don't think I-D's are appropriate to use as reference material in the
>>Specification Required context. The current IETF I-D boilerplate says:
>
> Yes, that's a matter of controversy, see above comment on consensus.
>
>>> DE Instructions
>>> Unless the WG chairs indicate otherwise via email, the Designated
>>> Experts should decline code point registrations for documents which
>>> have already been adopted or are being proposed for adoption by IETF
>>> working groups or IRTF research groups.
>
>> I suggest changing 'or are being proposed for adoption into 'or are
>> being proposed by the document authors for adoption into' to avoid
>> external people fillibustering the registration process of a document by
>> proposing it for adoption by some random WG's. Proposing other's work
>> as WG documents is a pattern that have been followed for several
>>protocols that people dislike and seamingly wish to delay.
>
> Very good suggestion. Recorded at https://github.com/richsalz/draft-rsalz-crypto-registries/issues/1
>
>
> _______________________________________________
> saag mailing list -- saag@ietf.org
> To unsubscribe send an email to saag-leave@ietf.org

v2.29.0 | Report a Bug | By Email | System Status