IETF Logo Mail Archive

Re: [saag] SSH & Ntruprime

Eric Rescorla <ekr@rtfm.com> Mon, 25 March 2024 18:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59E46C18DB83 for <saag@ietfa.amsl.com>; Mon, 25 Mar 2024 11:06:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.884
X-Spam-Level:
X-Spam-Status: No, score=-6.884 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Crfk_zrM8HXL for <saag@ietfa.amsl.com>; Mon, 25 Mar 2024 11:06:35 -0700 (PDT)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEEDAC14F5F7 for <saag@ietf.org>; Mon, 25 Mar 2024 11:06:35 -0700 (PDT)
Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-dcd7c526cc0so4795718276.1 for <saag@ietf.org>; Mon, 25 Mar 2024 11:06:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1711389995; x=1711994795; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ab1iab1oEnx1Y4nIwbghkzvF9kuVSqY3AuIp2E1hBUQ=; b=b79PHEPiuCfzwGUPoMZi8elo76rtzuiFM3zRt+2pzzYGZma6eIbc+v6ihr2PDT/euX VpHOpNr+8Vl0oqPoD30IGfufG/n4MG8gtqBdFK3ectzrvFVLfF8hLnMFNoPjsQ4oc0OH O95bpaO588cfMdygABbLeqcVR9zKTZFk6ZcXiy72jOft0Ps+85VWbO3dBNvq6bbcb7B9 E0+SnuEdTrBr6EP+6kblgHzvoeslUyUTMLfsVYiuUwJWVFpJ0XPXiHc9vuMo5tcQJXqn xtR12yZBkLUJyinO8h8Bwayle6IpCCNCsLCnD0WmAh9gXx2XPAhegEI1czjAFoQzZngo lDxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711389995; x=1711994795; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ab1iab1oEnx1Y4nIwbghkzvF9kuVSqY3AuIp2E1hBUQ=; b=nGc2FcgSf4BzjpXq0XIVSkNj0vnPB2Q9XsJ+2x3i7huKMO1XV/BN3uw8oOxjAyILeR IEO3LOy5lQulgcUki6oAaylviZ10HnxrN71tpohBZOR3os6DePaojefDsCkzKJqRsQam vN61QN8yyjttwbhSfwe7gFJFjbTSYFYSkXPRAuU5Cx8XxHnWLzlCtiBKZYE2g9P8MHz7 EM9L4u5t6E/oejncc4iT6M4ao66ff1a6NkxcpSlK1b3+q8/JwQbPC7tzJpaLEQCrECDc IHDEIwk+k+pDqmX6HDXTTAtOL/BEeOSneVNCfL01LtO0FCte+mfpbBfUdCKW4aaOnzvy ey3Q==
X-Forwarded-Encrypted: i=1; AJvYcCUJMZiuVP7P+mGl0xLzLGELZevx4fI/9xkEWOV9OKpkEnHdSXYI9u9+2stJ6V0UAgLvHd/X0OUoHfGB6gBr
X-Gm-Message-State: AOJu0YzGpvGVHe4gvD1dqquXQ+AgG6f4DSPo4p5CaMi+63uVOoEqFaNq 6DsmZo7NR4IcYUpCivQUjnzH5j7+BdlV+kIixVx3PZHIPaupr++KHJjlZ5mMTgw+bjLW/BkJ9c3 oKKj8f+B7MHot1A/NEExx5miodYVZjEvOfpzpPC1tYTg3B0fn
X-Google-Smtp-Source: AGHT+IHI+UWEZ+5+J3gbyInB+U/xGhPobP6Wy/nhaj9fkoGQOZNL0ojTqVfIZpHjDT/CIExhUJP8pIqwzZ0FEUAR9K8=
X-Received: by 2002:a25:1185:0:b0:dd1:64e6:2c80 with SMTP id 127-20020a251185000000b00dd164e62c80mr5455035ybr.46.1711389993777; Mon, 25 Mar 2024 11:06:33 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPWjXvLh06-DBO3Z0sfeb2hgzqzaSZ-J2-TZ7qesrSraA@mail.gmail.com> <079A0AA3-FA02-440F-ABA0-6AF897570E86@sonic.net> <CABcZeBOxfYR+=61DV1XN0F9nrmbzLR2zq_ZvADw4UUy1uFafzw@mail.gmail.com> <8caa2d4d-bc80-4fcf-b8bc-839052371730@lear.ch> <CABcZeBMABJ89T0qY0-9C3xxd=mFfGyCh7_9GKbEUBm6JtR+_ng@mail.gmail.com> <6c491f5c-92da-4fb3-a8b1-da1de27b36a6@lear.ch> <CABcZeBN1w0QU6ug3LcMwC+hTMA_-iOs32FkZe+gpPuFrp1y+JA@mail.gmail.com> <64e81f68-5169-4469-b5a0-2851da912091@lear.ch> <CABcZeBOLKMJb5pw59J072FsfeMFcoz1eZYxa1qpXDLW0nAU0cg@mail.gmail.com> <7b4d38b8-b4c1-412b-8287-bd44d0c512a3@lear.ch> <CABcZeBOQYp49i_JjE7vdg6AjxwyvktW7LFTJ4Mh3jt0bmxxxDQ@mail.gmail.com> <CAN8C-_+QUpU2bTeSFmLB7v1qLirTXtypR2U7D54JeEaeKfSp+Q@mail.gmail.com> <CABcZeBNtE6PtEdmh-2rTC5y9U7yEL8JVNo1HMjZtOQw-DHjXQQ@mail.gmail.com> <88a1bb16-b0ef-49b3-a661-c343b4faa7a9@nthpermutation.com> <CABcZeBOo7e=jgrkMa4iXYy-x_2o6eZjTpEyezQiu7AKHk4ZhFQ@mail.gmail.com> <CAN8C-_JKbJLB6EU+8zUoeUgYVMkR4ErkSdpvuzr4LYoNcRKccA@mail.gmail.com> <180b6873-d917-4a6f-9fa7-b174e0afae66@nthpermutation.com>
In-Reply-To: <180b6873-d917-4a6f-9fa7-b174e0afae66@nthpermutation.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 25 Mar 2024 11:05:57 -0700
Message-ID: <CABcZeBPHQPMFk-xwjn-UnCN+T8eFJJyFAeXV82rfFgz334xWZw@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: Orie Steele <orie@transmute.industries>, saag@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a6dc870614800800"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/I6EuAMGj6HwxFAVSN0rOg0ubQgg>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 18:06:40 -0000

On Mon, Mar 25, 2024 at 10:40 AM Michael StJohns <msj@nthpermutation.com>
wrote:

> On 3/25/2024 12:52 PM, Orie Steele wrote:
>
> https://www.rfc-editor.org/rfc/rfc8126#section-4.6
>
> Makes it clear, the expert could decide to accept anything they are
> directed to accept.
>
> In absence of guidance NOT to accept IDs, I would assert its at the
> discretion of the expert, and can readily cite examples in the wild, where
> specification required was satisfied with IDs, for example:
>
> https://www.iana.org/assignments/hpke/hpke.xhtml
> https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/02/
>
> If the draft above is ever updated to use a "generic kem combiner" the
> code point for the -02 will need to be abandoned and a new one will need to
> be assigned.
>
> Of course the same thing could happen if the reference were a github
> readme at a specific commit.
>
> Probably no need to ask IANA, see this recent reply:
>
> https://mailarchive.ietf.org/arch/msg/kitten/nKpKSY9Lo9gL2rTju1xDqGFwbCo/
>
> All this aside, it's still my opinion that it's not a good thing to
> encourage DE's to accept IDs, and if given the choice of specification
> required and a link to a github repo (which can be deleted at any time),
> and specification required with a link to an ID (which can be deleted at
> any time)... I still prefer the external link, because it does not create
> quality confusion regarding IETF documents... But I'll concede my objection
> is more based on optics than deviation from process.
>
> OS
>
> Hi Orie -
>
> Let me bring your attention to the fact that if the assignment to this
> draft had been made around the time of RFC447, the link in the registry
> probably would now be wrong.  Sometime in recent history, we completely
> restructured the IETF website and the tools/datatracker sections and broke
> a lot of links - including I believe the ID links. For the purposes of
> datatracker, RFCDIFF and IPR related to ID's, this wasn't a problem,
> because the tools themselves were updated to point to the right places.
>
> The IANA seems to have recognized this as they copy the current ID over to
> the IANA website.
> https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
> numbers 60 and 61.  ID 60 references
> https://www.iana.org/go/draft-pismenny-tls-dtls-plaintext-sequence-number-01.
> However, looking at
> https://datatracker.ietf.org/doc/draft-pismenny-tls-dtls-plaintext-sequence-number/
> There is now an 02 draft.  *Which is the proper reference for ID 60?*
>
> Has the IETF committed itself - through an actual public discussion - of
> making the IDs archival? Keeping them online - yes.  Keeping them at a
> fixed URL, I think not and I think RFC8447 was a mistake.  Referencing
> RFC8477 as precedent for Murray's question seems problematic.
>
> I'd recommend revoking the notes on the existing registries that allow
> references to IDs.
>
Well, that would obviously require IETF Consensus, so I suppose your first
step would be to write an ID.

And, going forward, request the  IESG  refrain from approving any further
> notes similar to those on RFC8447 until there's an actual consensus
>
I'm not sure on what basis you are saying that there's not an actual
consensus. RFC 8447 is the product of an IETF WG and went through the IETF
process, and so there is a presumption of consensus. In fact, it says so
right there in the boilerplate. I realize you object, but that doesn't mean
there wasn't rough consensus for RFC 8447.

-Ekr



Later, Mike
>
>
>
>
>
> On Mon, Mar 25, 2024 at 9:26 AM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Mon, Mar 25, 2024 at 9:22 AM Michael StJohns <msj@nthpermutation.com>
>> wrote:
>>
>>> Trimmed.
>>>
>>> On 3/25/2024 12:06 PM, Eric Rescorla wrote:
>>>
>>>
>>>
>>> On Mon, Mar 25, 2024 at 8:28 AM Orie Steele <orie@transmute.industries>
>>> <orie@transmute.industries> wrote:
>>>
>>>> > Internet-Drafts (often referred to simply as "drafts") have no formal
>>>> status, and are subject to change or removal at any time; therefore they
>>>> should not be cited or quoted in any formal document.
>>>> we are the ones hosting their drafts.
>>>>
>>>
>>> Yeah, this seems pretty speculative.
>>>
>>> Fortunately, we have a natural experiment here, because RFC 8446
>>> explicitly allows the registration of TLS code points based on I-Ds, so in
>>> five years I guess we can see how that worked.
>>>
>>> -Ekr
>>>
>>> Hi -
>>>
>>> I just took a look at RFC8446 and I can't find support for that claim.
>>>
>> My mistake, it's 8447. Muscle memory took over there.
>>
>> See https://www.rfc-editor.org/rfc/rfc8447#section-7
>>
>> -Ekr
>>
>>
>> The IANA considerations section refers to RFC8126 and only "Specification
>>> Required" or "Standards Action" as the path to registration.   Searching
>>> for "ID", "I-D", "internet draft" and "Internet-Draft" doesn't get me
>>> anything.
>>>
>>> AFAIK, "Specification Required" as defined in 8126 does not include
>>> Internet Drafts, even under the heading of "informal documentation" .
>>> Maybe time to ask the IANA?
>>>
>>> Later, Mike
>>> _______________________________________________
>>> saag mailing list
>>> saag@ietf.org
>>> https://www.ietf.org/mailman/listinfo/saag
>>>
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>>
>
>
> --
>
>
> ORIE STEELE Chief Technology Officer www.transmute.industries
>
> <https://transmute.industries>
>
>
>

v2.23.0 | Report a Bug | By Email