IETF Logo Mail Archive

[saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt

Eric Rescorla <ekr@rtfm.com> Fri, 29 November 2024 15:05 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7CE2C1D4A94 for <saag@ietfa.amsl.com>; Fri, 29 Nov 2024 07:05:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rOhRJBtj9cy for <saag@ietfa.amsl.com>; Fri, 29 Nov 2024 07:05:34 -0800 (PST)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A0D3C1D4CD2 for <saag@ietf.org>; Fri, 29 Nov 2024 07:05:34 -0800 (PST)
Received: by mail-yb1-xb2f.google.com with SMTP id 3f1490d57ef6-e333af0f528so1214039276.3 for <saag@ietf.org>; Fri, 29 Nov 2024 07:05:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1732892733; x=1733497533; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7MmiNktdmvEe/277aABP6nfNLVMMk4k5f07TjXWc18M=; b=aNzNuFFw2tdUKI4Jk2EhGwQvMVO9kF7trLhKvRhNX31LjhnLacWuuU99wRUSDjoS+8 q1PiXT2yHqAJonoYQgO1ANE3LnpG9iE61Md+YBmnH/hco86Rer9RdBhIKoDd/7t8P2oo eY7lSidGg6Rsjp4QA96TTabe89Q5cgit9xNbJwxK0MbUibpa2pjWcrq2KW+lvokGUVc7 FOMqeqt4GhMOtPB7SzhXKV3KIdOUFp4UQL57/FOQIlWGK2Uq44DqYBUWLFbVwWtsbDJC X/7F56Mk2p+AJ/VN0DAdbWtG/Pnswb9lUVNVyFycStRFyCfdAAf/1PYtcKl+EFa7Ib5b IqNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732892733; x=1733497533; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7MmiNktdmvEe/277aABP6nfNLVMMk4k5f07TjXWc18M=; b=TbmupkkPpAIwmugCa8MUDYhVrzeAsdV704Mn2akIDA+JiAyT2aiHVSIVI9uRl8KBb0 hoWXREikFHzmnQvsCnoU7tdPifndfbT6Tvf0adVcHd6S+a9N1/Y2iZxbfJfvKAo60mv5 dWXwVmizrgNhkdVVE07wYip3mfmcFsUYpL7YrruycIQLcwu9ed7TbWLx4VrmboCboRli suHnQzu+PlT1/fg/0sKY0J5KH4KTQ39jfBWbL5ugeKg1XRY8FF/Ndo+RS5h6zY9//ESH rSvtjHaI/tDY2rBA7OOP2lycKkPCuqUfKDBIkXKqLiPRG+hBy/AEwhN3bJ65AJRbDfuf 22Ig==
X-Forwarded-Encrypted: i=1; AJvYcCVq+UHeQyuhFjD6yT0R28Hpbsl/0p2rDYfVwPGz9jY10E/CKHvE7cE12CytrZsugNswjvm3@ietf.org
X-Gm-Message-State: AOJu0Yw0IT/pyMi7GGBSqz4PnLDwnr0oMqaD2ZwsRpMid/a/KBbVJKUl 9wSizPve5c7KYd6EG2fL3OoQ+ANFc2t9q6Cbap9bEH8uRlwxth+cDoYfIpk2JZiFh5r5sKseyea I01m5k4KYrZC+hJ/HX6OYLzvYpul2YLo1JffZ5A==
X-Gm-Gg: ASbGncv3+DLpVVT3R9ZfCRugxGdZhi9nVFI8f+OJmN7urtXuhA4HKFiEgnebmHFnoQa d3Y+Qh0rHUrVyAzjdtbTe9bvzT5kOwrJD+A==
X-Google-Smtp-Source: AGHT+IFsag7x+xDhH4hegylKVkNJSV9g3liT/VM4m1xF6NDRs7pzgyUtphr5hJNCoSC0lxN9XLSJidllPogM8ZS2W6g=
X-Received: by 2002:a05:6902:2a90:b0:e39:91ec:b167 with SMTP id 3f1490d57ef6-e3991ecb24emr573570276.16.1732892733005; Fri, 29 Nov 2024 07:05:33 -0800 (PST)
MIME-Version: 1.0
References: <SY8P300MB0711C796AB6095C788556516EE292@SY8P300MB0711.AUSP300.PROD.OUTLOOK.COM> <2A5A96D6-7F86-4B55-99D4-39A42B1CA869@aiven.io> <800b679d-8c67-4c27-8531-88de3dd9dada@lear.ch> <CAGL5yWbXxFnAR1zvp9-D4Ftd=6CZzVV=6n=icx3yx622QhYo=w@mail.gmail.com> <4fd41b6b-c687-4d9b-acc1-4f829538de9a@lear.ch> <CABcZeBOhutHwd5Figy65MF44zsrEu9f4NK=QyS72GzVP-L_bRA@mail.gmail.com> <fb45c8c4-6d37-4e24-88b4-75efcd8e1b8e@lear.ch>
In-Reply-To: <fb45c8c4-6d37-4e24-88b4-75efcd8e1b8e@lear.ch>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 29 Nov 2024 07:04:57 -0800
Message-ID: <CABcZeBMM0CUOOm2cwwkCzNyF5iB4+62AMSLJSCsOUGuqoUQh4w@mail.gmail.com>
To: Eliot Lear <lear@lear.ch>
Content-Type: multipart/alternative; boundary="000000000000c90ccf06280e8750"
Message-ID-Hash: X4GJQZUADVG7PGSRFEPVO3PIKDTX4OUD
X-Message-ID-Hash: X4GJQZUADVG7PGSRFEPVO3PIKDTX4OUD
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: saag@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/IuxGf1ntqooIvxxDzV9M_c-PqIo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

On Thu, Nov 28, 2024 at 10:44 PM Eliot Lear <lear@lear.ch> wrote:

> Hi Eric,
>
> You missed my point.  You are thinking about this from the interior point
> of view of the IETF.  For any given work, we here are likely to have a
> pretty good feel for whether it is likely to continue to change.  From
> outside, nobody knows.
>
> You also have part of the argument reversed.  Currently, this behavior
> (using drafts for code points) *isn't* the norm and so there is no issue.
>
Norms vary. As I said, this has been the norm for the main protocols on the
Web for quite some time.

But again, you're conflating the two cases I was careful to distinguish in
the message you are responding to.

Proponents should show evidence that changing the norm won't cause harm to
> the general market.  And we *have* trained the market to pay attention to
> RFCs rather than drafts.  How do I know this?  I routinely get requests for
> drafts to be published because a certain customer base is looking for the
> RFC imprimatur.
>
But this is in fact the problem: the value of the RFC imprimateur is from
IETF review, not from some notional sense of immutability or that it went
through the RPC. And when we are just documenting some vendors work, that's
not what is happening.

I argue that's a *very* good thing for everyone because it means that
> developers here in the IETF get to worry far less about long term
> interoperability impact as we do our work.
>
And here you're talking about interim deployment again.

-Ekr


This is not to say that early allocation of code points isn't necessary,
> but really that should be for our INTERNAL use, not for general market
> availability.
>
> By the way, it may interest you to know how other SDOs avoid these
> interoperability problems: they often don't make drafts available to the
> general public.
>
> Eliot
> On 29.11.2024 01:09, Eric Rescorla wrote:
>
>
> On Thu, Nov 28, 2024 at 3:59 PM Eliot Lear <lear@lear.ch> wrote:
>
>> Greetings Paul!
>> On 29.11.2024 00:00, Paul Wouters wrote:
>>
>>
>> As long as the code points are references by versioned drafts, this is
>> not an issue. We are looking at the few cases where this was done using an
>> unversioned draft and working with IANA to resolve those.
>>
>> But it is also an issue if you are an implementer and not a protocol spec
>> developer, and you are trying to economically and securely manage your
>> coding and COGS investments.  An RFC or similar vehicle is signal that
>> This->spec will not change without going through a rather involved public
>> development process. It gets particularly concerning when different RFPs
>> have different specific draft version requirements.  That's really where
>> either interoperability begins to break down and/or code complexity goes
>> up, even if different code points are used for different versions.
>>
> Maybe.
>
> There are a number of different cases here.
>
> On one extreme, we have a specification which is being actively developed
> by the IETF, and goes through a number of draft revisions before finally
> being published as an RFC. In that case, yes, it is somewhat difficult to
> have code points associated with drafts prior to the RFC (though TBH, not
> that difficult, and we do this in TLS and QUIC fairly routinely).
>
> On the other extreme, we have a specification which simply documents some
> externally developed technology which will not be modified by the IETF but
> just needs a codepoint registration. In this case, there is generally no
> real issue with multiple versions and I do not believe that having a
> reference to a draft version, because there is no real need to revise it.
> Note that this is distinct from submissions to the Independent stream,
> which naturally go through multiple draft revisions prior to becoming an
> RFC, which might lead to confusion. However, if the code point is just
> assigned on the basis of an I-D with no intention to make an RFC, that is
> not the case. Do you have evidence that there has been significant
> confusion in such cases?
>
> -Ekr
>
>
>
>

v2.29.0 | Report a Bug | By Email | System Status