IETF Logo Mail Archive

[saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt

Paul Wouters <paul.wouters@aiven.io> Thu, 28 November 2024 16:54 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FF94C1E0D74 for <saag@ietfa.amsl.com>; Thu, 28 Nov 2024 08:54:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFSfIwkcOPzJ for <saag@ietfa.amsl.com>; Thu, 28 Nov 2024 08:54:09 -0800 (PST)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C0DDC1DC7F6 for <saag@ietf.org>; Thu, 28 Nov 2024 08:54:09 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-434a044dce2so11370725e9.2 for <saag@ietf.org>; Thu, 28 Nov 2024 08:54:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1732812847; x=1733417647; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=03aE3xKt+gtP059jYbqE8FNpkpol3/e2gQbcmF+WbvM=; b=dugQ1NE6Qtq7F0ojpitgx8PASHI4xMEwSHBf29wojtUTKogzQydC++ZfNFJw3RLHSP avk+4rjAEWBrx4XejLItanTggsfowLO72W5dIdWNK4h8yyq01TQ/qP+ZRiryI+HtnXyV E5nSsXPfouNtsZKOlHYR8X8hoNlFmyOoH9FF8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732812847; x=1733417647; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=03aE3xKt+gtP059jYbqE8FNpkpol3/e2gQbcmF+WbvM=; b=lI+DD4CyL0nV4+VOySZkvDpFa60pzcUvvOjK1AtMNfhtC4zFb/CmHKLErznHQtrYd1 atPUMuPxYmvWRCgRygP7LPxqWVACAncuc4Cx0wvCj7e6e96OKJm6F76wO2T0JTM0MEpC ukNd6roBCBmv2/n7Ns51swquaezQJwXrs2KdJcEzF9QhWXwWo+kJA+UFusS3nU50+zL1 O1Gw8kpz0Y1z4VF1khI23DIpo2a4TktiB1T94feP1lHQdkZF5za5ichhdJtJqd1s9Cj4 CIJLW5/jDMwQQbP28Smm/ghToz/9Pc1CSrpzkOVITUV1bkCDX7vKVGytxNNmtekW1U6D UrJw==
X-Forwarded-Encrypted: i=1; AJvYcCWOHGpb60Itpfb9OhGKo6aaR8/ZEsW0s651UBhsotcZpDDkck4xX3uY8+ncXwHZd/jk25PR@ietf.org
X-Gm-Message-State: AOJu0YyZRp39EuYyOzHLnS1U9Fk/gLBgM72L644NZRlPk/egX804EASq jp9iMQW5NBbRCQ+X2i7I16c0HDWS++lo3nTOeOb0S2AwSB8dD3dbQFP9Ukot6Zw=
X-Gm-Gg: ASbGncsehNfyfJcz4q3B5EazNnoMLeXE2yHcPJzCz8N75CBj8LEKWYOvwaTaaNEuusH lx8JsgnvHiDmTABrQPwUFkLU3Ad3w+nf3FdJgRNj8YA5EMblmIS0+6BGtQXmfnCtISjO68ZnO/+ hbTqiLH2t56UGy7/kCX1r5R7sJtkhjItR12ipXLx9GF+OtufDhleobsGRXtf1WaIngggBiOeLFF rOde0RoRa7JhRREiIddtoSEGI1wY8oySnKA/CEKgtGR4FgaJXmvL7HWmlnA4Q9LukW/6jow5V5o V1k=
X-Google-Smtp-Source: AGHT+IGbL4LyijZq8saaVEg13jc2j/9le6FgK+rFk92o6MrKc0/ZC8FDZHfVtnQiCFPZ4pt0xcXPow==
X-Received: by 2002:a5d:59af:0:b0:37d:4833:38f5 with SMTP id ffacd0b85a97d-385c6ebb8c7mr7390806f8f.30.1732812847398; Thu, 28 Nov 2024 08:54:07 -0800 (PST)
Received: from smtpclient.apple ([2001:56b:3fed:6976:192b:e682:ee99:6c16]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e230dcf2cfsm347644173.62.2024.11.28.08.54.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 28 Nov 2024 08:54:06 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul.wouters@aiven.io>
Mime-Version: 1.0 (1.0)
Date: Thu, 28 Nov 2024 11:53:54 -0500
Message-Id: <2A5A96D6-7F86-4B55-99D4-39A42B1CA869@aiven.io>
References: <SY8P300MB0711C796AB6095C788556516EE292@SY8P300MB0711.AUSP300.PROD.OUTLOOK.COM>
In-Reply-To: <SY8P300MB0711C796AB6095C788556516EE292@SY8P300MB0711.AUSP300.PROD.OUTLOOK.COM>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: iPhone Mail (21H16)
Message-ID-Hash: VLIZKDWURB5CYYM7KYT5JCNSGB5GP5M7
X-Message-ID-Hash: VLIZKDWURB5CYYM7KYT5JCNSGB5GP5M7
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tero Kivinen <kivinen@iki.fi>, Damien Miller <djm@mindrot.org>, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, saag@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/CCE3swZGgeCA7YDeGe3CLj6JF98>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

On Nov 27, 2024, at 20:03, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
> Tero Kivinen <kivinen@iki.fi> writes:
> 
>> When someone (like openssh) creates a new thing with foo@openssh.org, they
>> should include the documentation of that either on their web page, or inside
>> the source distribution etc. Not everything needs to be an RFC, and most of
>> those things that are defined that way are quite simple to document.
> 
> Ahh, no, this leads to the current mess where one of the OpenSSH folks invents
> something, posts it (without any public review) to the bottom of a locked
> filing cabinet stuck in a disused lavatory with a sign on the door saying
> "Beware of the Leopard", it gets added to the de-facto standard SSH
> implementation that everyone has to be compatible with leading to a scramble
> to find out where it's specified and how you're supposed to implement it, and
> then a later scramble to patch it when the security vulns from the lack of
> public review are discovered.

Sure, but the damage by leopards in this case isn't pushed to the IETF by rubber stamping it with an RFC.

An Internet-Dreft is as stable and findable as an RFC, and does not come with the implied endorsement of the IETF.

> Looking at it from the other side of the fence, given the incredibly laborious
> and painful process of getting anything through the IETF (ISO standards are
> often considerably quicker and easier to do than IETF, and that includes the
> time for translation into French) I have some sympathy for the folks who
> choose to do it this way even if I don't really agree with what they're doing.

the process is not just a delay in a desk of a filing cabinet in the tower of babel. people actually do consider suitability, applicability, eg all. if everything gets an RFC number, it would end up meaning nothing.

Paul

v2.43.4 | Report a Bug | By Email | System Status