IETF Logo Mail Archive

Re: [saag] SSH & Ntruprime

Eric Rescorla <ekr@rtfm.com> Mon, 25 March 2024 16:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67358C14CE4A for <saag@ietfa.amsl.com>; Mon, 25 Mar 2024 09:07:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.883
X-Spam-Level:
X-Spam-Status: No, score=-6.883 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bq45WGELXRly for <saag@ietfa.amsl.com>; Mon, 25 Mar 2024 09:07:20 -0700 (PDT)
Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81F6AC14F5EA for <saag@ietf.org>; Mon, 25 Mar 2024 09:07:20 -0700 (PDT)
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-609fb0450d8so48354027b3.0 for <saag@ietf.org>; Mon, 25 Mar 2024 09:07:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1711382839; x=1711987639; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8tkhNuceRf+V7C5iTmdwYO7wTtdpWHpUKyAtpNmyFFw=; b=hvm6i9tqPiuzN4IBCvNgng1D9kSftvNCMwpF7UBr8TP0pUWfB0DiQRS29ilSEDVZ2e XVasZGorf3ni53MOENhihw6+GaGqSW2hLGD89XdviAPQNOc7/tL3Q/DYnrfdl/uJTOu4 LU+bmYZqI/1cE2lnyLU8NwbjgyNrckGtw4fRO3zDap9MfKRdDiyGrb1wzCqMpgGv5P4R 0hCQvRKWIlfLVLGhSFYPuHkJNLchOtkAvJcSdUruNjXHPqwd3Z6RisLjp49+oEh/KTfS CSRk2MyIZgKXnjUWZ3JaAYkwD/grq47hKThuEbrhL/jLSE5X+8FD4syz5EGr+0ShK23k /zvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711382839; x=1711987639; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8tkhNuceRf+V7C5iTmdwYO7wTtdpWHpUKyAtpNmyFFw=; b=cijnALvQUMhFCULiFWED/Hk4Rf1l3c9ho9l/Sp+lpgvjXVcvb8sl1Rksw+yUPsLK3R MCTX2re7Qoxm5CIYxJmaSKujMclLaIgl9OZcT/m2H51wn3dNABlV/vId9eCznc/PslTE 5kT8ubp96khEFf2s2QYmAntjKxdWqfePDQ/sJ4WvizoE9jDOmyCaSWTF3jGyzIc2WOgc /kd16ONnSuKsY+rHit693T1hjTG/KFu6SVORbyqG0X1mpMnI61RIPgbn5BHeRx+6ze6J Ngh56NlOVx/6rUbmf1psdKWcUCHXsYODLwvVPwAZ6qQqL9CMpdmNLbvJQXaX36fif2BS f7tQ==
X-Forwarded-Encrypted: i=1; AJvYcCUS1LDOOjHTaSXjp+ZeSbPrXAHbYpqPPp4jdWzVWxqy4TCzT+4IX1zB3sQCIUKZqAbn6mlV0YwKsj42piX6
X-Gm-Message-State: AOJu0YxTubOoEPlnOVuz4yRuXBjK8SFB8MXiUQowBl+GRa+IAw34Wfq4 XxlyH1rvqOGGv/f7/uxKYVZZ3s4C1DuPEjfonE5FqV4H+TyrV+/Hk2yget6RJNg3s1uU4lYOYmm BQ25MdN3w/VuNs/FFagsDH6W7fFb/Q8tHZ17wAw==
X-Google-Smtp-Source: AGHT+IHu95EywsePNySkaoJw6J6OhMkPchBgU32KVeNXjj7cX4/H77HT7nG24D42Qn6NDqddIWp+JsI2z/nZm47/HtQ=
X-Received: by 2002:a81:d40c:0:b0:611:9c45:b469 with SMTP id z12-20020a81d40c000000b006119c45b469mr1706149ywi.41.1711382837963; Mon, 25 Mar 2024 09:07:17 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPWjXvLh06-DBO3Z0sfeb2hgzqzaSZ-J2-TZ7qesrSraA@mail.gmail.com> <D0CD341B-523B-48A0-8954-EE7F89113241@aiven.io> <AF7B6F32-9EE6-4810-A99A-833DEA917FA9@sonic.net> <CABcZeBPfXQckpZageogUxTYgX2j_Nr_O3bvf-a-x0S_82BHMxg@mail.gmail.com> <079A0AA3-FA02-440F-ABA0-6AF897570E86@sonic.net> <CABcZeBOxfYR+=61DV1XN0F9nrmbzLR2zq_ZvADw4UUy1uFafzw@mail.gmail.com> <8caa2d4d-bc80-4fcf-b8bc-839052371730@lear.ch> <CABcZeBMABJ89T0qY0-9C3xxd=mFfGyCh7_9GKbEUBm6JtR+_ng@mail.gmail.com> <6c491f5c-92da-4fb3-a8b1-da1de27b36a6@lear.ch> <CABcZeBN1w0QU6ug3LcMwC+hTMA_-iOs32FkZe+gpPuFrp1y+JA@mail.gmail.com> <64e81f68-5169-4469-b5a0-2851da912091@lear.ch> <CABcZeBOLKMJb5pw59J072FsfeMFcoz1eZYxa1qpXDLW0nAU0cg@mail.gmail.com> <7b4d38b8-b4c1-412b-8287-bd44d0c512a3@lear.ch> <CABcZeBOQYp49i_JjE7vdg6AjxwyvktW7LFTJ4Mh3jt0bmxxxDQ@mail.gmail.com> <CAN8C-_+QUpU2bTeSFmLB7v1qLirTXtypR2U7D54JeEaeKfSp+Q@mail.gmail.com>
In-Reply-To: <CAN8C-_+QUpU2bTeSFmLB7v1qLirTXtypR2U7D54JeEaeKfSp+Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 25 Mar 2024 09:06:41 -0700
Message-ID: <CABcZeBNtE6PtEdmh-2rTC5y9U7yEL8JVNo1HMjZtOQw-DHjXQQ@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: Eliot Lear <lear@lear.ch>, saag <saag@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000021c87c06147e5e93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/HoYnhGgEb2-Ks9froHyL3dqYAlc>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 16:07:24 -0000

On Mon, Mar 25, 2024 at 8:28 AM Orie Steele <orie@transmute.industries>
wrote:

> > Internet-Drafts (often referred to simply as "drafts") have no formal
> status, and are subject to change or removal at any time; therefore they
> should not be cited or quoted in any formal document.
>
> https://www.ietf.org/how/ids/
>
> Sure a specific version won't change, but we have no assurance that newer
> versions won't be intentionally crippled by authors, and no assurance that
> implementers won't assume the latest version isn't the correct one to
> implement... (developers are conditioned to believe that the latest version
> addresses security issues).
>
> - https://snyk.io/blog/open-source-npm-packages-colors-faker/
> - leftpad... etc...
>
> If the draft is later updated to cripple implementations, it will be the
> IETF, not the authors that will be blamed for the resulting damage.
>
> In the long term, this will harm the reputation of the IETF, and I doubt
> we will convince developers it's the authors fault, since we are the ones
> hosting their drafts.
>

Yeah, this seems pretty speculative.

Fortunately, we have a natural experiment here, because RFC 8446 explicitly
allows the registration of TLS code points based on I-Ds, so in five years
I guess we can see how that worked.

-Ekr


> OS
>
>
> On Mon, Mar 25, 2024 at 7:36 AM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Mon, Mar 25, 2024 at 7:25 AM Eliot Lear <lear@lear.ch> wrote:
>>
>>> Eric,
>>>
>>> On 25.03.2024 15:23, Eric Rescorla wrote:
>>> > Why does it make sense to require some third party to host a spec with
>>> > unclear stability properties when we already have a way of hosting
>>> > with clear stability properties?
>>>
>>> I'm not requiring anything, but you and I are disagreeing about the
>>> stability properties of drafts.
>>>
>>
>> I'm not sure what you think that disagreement is about, as those
>> properties are quite clear:
>>
>> 1. Any individual draft version doesn't change.
>> 2. Whether subsequent versions are issued or are different is up to the
>> authors, but it's visible when it happens because the version increments.
>>
>> The properties of a document hosted on someone's web site are that it can
>> be changed at any time and those changes may or may not be visible. Why do
>> you think this is more stable?
>>
>> -Ekr
>>
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>>
>
>
> --
>
>
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
>
> <https://transmute.industries>
>

v2.23.0 | Report a Bug | By Email