IETF Logo Mail Archive

[saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt

Tero Kivinen <kivinen@iki.fi> Sat, 16 November 2024 13:27 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 001FAC14F60B for <saag@ietfa.amsl.com>; Sat, 16 Nov 2024 05:27:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QGt84x18W3A4 for <saag@ietfa.amsl.com>; Sat, 16 Nov 2024 05:27:30 -0800 (PST)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 688A9C14F61A for <saag@ietf.org>; Sat, 16 Nov 2024 05:27:30 -0800 (PST)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4XrF740F2Qz49Pv5; Sat, 16 Nov 2024 15:27:27 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1731763648; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oY6zfiFkZgh57lU518mcJsULYwnl+UDziEcMe1TzJcs=; b=E86TThc1BwChmXC0l2sFxCO5owt14kkXvBUfifrEMiX5509kTSxTOCct3WtPl6Rv+hN2/V jtW+NBsfWqoB2CB6OzXl85xLBkYgk1fzClGgQahM/FGPysouiWy8VyjSIchjokk+01UK6S MZi/o21RAHbTWt8CFOsIKaaiY4zMbvKY7Uhdk9PROHHJ6bpmqdUobhiGi/v6exyNChmszp fqIIOpyKcoS2WISKre+MS41NziISK/ZjbWOUjhw/qXjfKH3OrvkYsFpw+VzKGSQLIHngEM 7tvdzWpg7l9YK0M58pdv+2ZqUw4BIxeG6g7Z04NZ0w6lxIamdzT9Sf63HqkS6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1731763648; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oY6zfiFkZgh57lU518mcJsULYwnl+UDziEcMe1TzJcs=; b=cW4k0sb/xsNlkYDkFOxsEXHs1BE9SyK2jyS0UooNsm6BN2dln5S7bFp+9Wbq0dT8o4ZR/6 M9J7pSsXl95rf3TuOmsJ4KvNiD0zm4PErt8baIPKQDPuvoM1ilIKQfHEHvzfMB0SYzS9a3 yiw6BCRCmFFZJtKTnkM1zksE2PTAwCcvIRzf4ORqwbo46jg0OJt5mUlbfsNcpP+PqfNYBw NxUkYkywngG0tft8RKyJF2DKpXz/yNORmqR/u+Md3S9PqKHVoBItS2gpw6B9IJVQb/Sm/1 yt78nQigELznSyFbzIvUe3ZZVMJoyVXoR0YjO7BOSW/Q2pDHTqIdZT1NMSxt8Q==
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1731763648; a=rsa-sha256; cv=none; b=AcyzQjxKhmjebzwDQVDyXfN+Qp8vAnW3uKCekugkcW1GH9lj2w5iCpFQznrVyMy5P2xC6e 9RHuZkZd4E7kEgeyyNK214+MsmvSZZvd8UuRqviiu/aVSfVCL4vxCzCzX54XN32ZbZaGIm okxrZZkBm9KkQBjVHj4hdaCWIw0VeoexlArfI6xZQn2NHCpj4E/1XTRIhhP/fvrFIUk3Rc 7tpVfpfCOlVLBiGldlWitQZ1hQhIGTzm+Jvk0zPmMlvuMqyvasP9t397LppKEKhb35PgmG a3UVwb/nGAFFIHCATG/4PhaJ/JcCTcebMjd8LwrTjylYUsSLZLCOcSmjPniDdw==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
Received: by fireball.acr.fi (Postfix, from userid 15204) id ABF6325C0E46; Sat, 16 Nov 2024 15:27:27 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <26424.40383.605711.370013@fireball.acr.fi>
Date: Sat, 16 Nov 2024 15:27:27 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
In-Reply-To: <87ldxl5zp9.fsf@kaka.sjd.se>
References: <BE95E617-C929-43BA-BB40-41E189A8158B@akamai.com> <87ldxl5zp9.fsf@kaka.sjd.se>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 22 min
X-Total-Time: 22 min
Message-ID-Hash: UD7SN3CSOLROIDRM2SDA26DLRNUTUIZK
X-Message-ID-Hash: UD7SN3CSOLROIDRM2SDA26DLRNUTUIZK
X-MailFrom: kivinen@iki.fi
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, saag@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/G44oa-YjNOVaquA8ZELEaChy4Hk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

Simon Josefsson writes:
> Good.  I don't claim the document encourage rejecting non-NIST crypto,
> but I think the document may be a useful tool for people who want to
> delay deployment of strong non-sanctioned crypto.  The document suggests
> "Specification Required" for all registries.  This is a limitation
> compared to broad set of different policies allowed by RFC 8126.

I definately want the minimum bar to be "specification required".

Almost only case where someone does not want to provide public
specification for an algorithm is when it is supposed to be national
secret crypto to be added, but I think they can use private use values
for those. 

If there is no specification available publicly then how are people
going to implement an algorithm?

Note, that even if the registry is expert review, experts quite often
do require that specifications to be avaiable, i.e., about same as
specification required.

> Limiting the registration policies is one method to make it harder
> for people to interoperate protocols with non-blessed crypto. In my
> perception, this aspect was used to delay publication of 25519 and
> currently ssh-ntruprime.

How was the publication delayed? Publication != RFC, there is lots of
ways to create specifications that are public available. 

> While good arguments may exist for "Specification Required" in some
> protocols, I don't follow why this is necessarily the right thing
> for all protocols. The First-Come-First-Serve policy for SASL
> mechanisms have worked fine, and allow experimentation with
> non-blessed crypto if people care to do so.

For the SSH there is already first come first serve policy (all names
that contained @) but for some reason that was not enough. And
implementations and interoperability works fine even with those first
come first served names. There is no reason to require strings without
@-chracter for algorithms, both forms work fine in the
implementations.
-- 
kivinen@iki.fi

v2.29.0 | Report a Bug | By Email | System Status