IETF Logo Mail Archive

Re: [saag] SSH & Ntruprime

"StJohns, Michael" <msj@nthpermutation.com> Thu, 11 April 2024 02:05 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51B6CC14F5F4 for <saag@ietfa.amsl.com>; Wed, 10 Apr 2024 19:05:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5u1LFu8IQYZa for <saag@ietfa.amsl.com>; Wed, 10 Apr 2024 19:05:09 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D172C14F600 for <saag@ietf.org>; Wed, 10 Apr 2024 19:05:07 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2d8129797fcso99056741fa.1 for <saag@ietf.org>; Wed, 10 Apr 2024 19:05:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1712801105; x=1713405905; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=eah1fpdOqM/SfBsw5jZ+WQRl3VPOBK1/f+YXew2K21Y=; b=S0bU9RudRih5O3vFEY6+H/T9vu/RJ6Ph/RIlaRfFitcJGgr9l78gLtHyDOSDJ9dr/k ajvs5hJppf6hc9thXkUADwGiwqgsIxNztU3aj3QsIxKWuVBdXTLae+Y9Jr06S7SCrECv vJDSwtQgW6nNHMY8h4llLdBRKbowIr+BnAZrNvHTDWz9gNQaR1GQ8goHqmTomXGaoSsI 257yYANm20uteOlRFuIVW9hc52gfQSMLY8ixol2xsbzoz1m62VtulzIH+mRojEAMrTTa iJQ23ORrKiiiKtmgvoCkGpYph4IiMLLBoV1cSaGPmx9acYaZP2PQ5cl8PXfJafQoJa3m td3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712801105; x=1713405905; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eah1fpdOqM/SfBsw5jZ+WQRl3VPOBK1/f+YXew2K21Y=; b=OELMIz1WTwQuakkD75sKaVLHIA4Bb/Xh88/eitVs0gjarNv5ASspp3swQHkysaoPJ3 YuGEEL1ITvpOmKlT56yj+EQOAw8z+fFUQj3zEk6z2I1jwI2lNvBf/QX0qEum1rVpU5B8 o86k1EeMfytBfPFllx4VE4Gd3sajhl6+9tumoCprHjutWx+tLOeEscpLWxBHINqi115c GAIQBFEGxzshC+D7fdedIQ1F0xKSbbHBuG5kmZ/mfz7ntbAj6tF/LPYKWmQhTd0ZiYY8 IOaDqFABOmuNezTfUOXcpgi8w+IjSL/0+xh2tmlwfiCqPLjK99eSBIHq19WiC4iChIl4 BsCg==
X-Gm-Message-State: AOJu0YxGLlbCTCZUxC8bGyNJ1l1mSm74EhzsloliPsJJgA/Tl2eHxqel Gend6eoYWFEULem/m8pwxboJ43sxnqi+75lnQadaPf2E0kM8l+pw/Weqt4YoJ2ZVTgE96tlj3+N YgYvFrD8FXu+IC4HQS5yC7zPK9ts1JQa8AS4SOeVqqmv49ER7
X-Google-Smtp-Source: AGHT+IF/BYl0WEdTizVXx7/hZSToZChZGUimsMGxske9Nq9OyMosMZbvFybPleYJiJ3EVNyDV3UdzbAAcrWNamnpqXc=
X-Received: by 2002:a2e:9917:0:b0:2d8:eaff:8a38 with SMTP id v23-20020a2e9917000000b002d8eaff8a38mr1029254lji.46.1712801104597; Wed, 10 Apr 2024 19:05:04 -0700 (PDT)
MIME-Version: 1.0
References: <05D73B77-ECFB-43E9-A2A8-00D46F63FC32@aiven.io> <20240405162821.1801419.qmail@cr.yp.to> <CAGL5yWaJXRDyiQ=w2XJcoFhCQ3JDriqO+jAcOKz7J4kW2PY=uw@mail.gmail.com> <87o7ahzi8c.fsf@kaka.sjd.se> <CABcZeBO-_k3pTsLAqOm3c5F8Cnbnd1mtdpuaoQicoCRBLPZLLg@mail.gmail.com> <d2bd2378-4de4-4426-b2f4-fbcff6de5d2a@cs.tcd.ie> <CABcZeBPtRoGg=diFd2MjRXn0SD+KMJSC65ROe55SpsdcLL_m_g@mail.gmail.com> <9da5e8a6-b329-41cd-89c1-4423f6739341@nthpermutation.com> <CABcZeBN-Oy-vG=VYwqAmd=Fi7AWyp1pQPnMQMhe0-EzOPZwrsQ@mail.gmail.com> <7127f31a-bb6f-467a-aa67-55b46e7f95f2@nthpermutation.com> <3bef7fff-6a84-42ba-a2ee-a5e6bd60c816@cs.tcd.ie>
In-Reply-To: <3bef7fff-6a84-42ba-a2ee-a5e6bd60c816@cs.tcd.ie>
From: "StJohns, Michael" <msj@nthpermutation.com>
Date: Wed, 10 Apr 2024 22:04:53 -0400
Message-ID: <CANeU+ZDvWWd+HmtXx=4x0zgO6FNfeqwzybU+jjVHzFWqkgz2Rg@mail.gmail.com>
To: Security Area Advisory Group <saag@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="0000000000006939140615c89514"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/JvKEq42U5rYg-hSfQDK4eR0xo6Y>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 02:05:11 -0000

On Wed, Apr 10, 2024 at 21:06 Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 10/04/2024 19:41, Michael StJohns wrote:
> >>
> >
> > Yeah - 8447 was an effective example of a submarine submission.
>
> I don't think that's at all accurate. TLS is one or our
> currently very important protocols so nothing coming from
> that WG could reasonably be described as taking a submarine
> approach IMO.
>


I’m going to stick with the word as, intentional or not, it’s sort of what
the record shows.

According to the datracker, you were the document shepherd, but the
shepherd report that Sean added to the tracker was done against the -03
draft (note the date of the report vs the post date of -04).  The -04 draft
was where the notes were added.  None of the text in either the shepherd
report nor the last call announcement text mentioned that  IDs were now
acceptable for Specification Required references.

None of the AD discussions mentioned this, and the shepherd report is clear
that very few people reviewed the draft before the -04 changes, let alone
after.



*There's not been a lot of review because most people consider
thisadministrivia that others should do; most just want the rules relaxed.
Acouple of notable reviews have been provided as noted below.*





> There was also a history of years of debate about how to
> handle ciphersuite code points that lead up to 8447 so I
> really don't think it's credible to say that 8447 is some
> kind of sneaky end-run.
>

Most of 8447 was perfectly fine and I have no issues with anything there
except the late updates rewriting the RFC8126 guidance for Specification
Required.

>
> I'll also note the title and content of 8447 says that it
> applies to TLS and DTLS registries so I'm confused by any
> argument that says that 8447 affects other protocols other
> than in the abstract sense that it demonstrates a setup
> that could in principle be copied.
>
> So, WRT this thread: IMO 8447 is fine, but that does not
> mean everyone else needs to operate as if they're TLS,
> and in particular, 8447 has zero implication for how best
> to handle anything to do with SSH.
>

Yup. And had EKR not mentioned RFC8447 might be a good model for SSH
earlier in this chain, I wouldn’t be saying anything now.

My opinion, as stated before, is that a change to the status of IDs from
not citable (except in well defined and documented circumstances) to
citable is a change that needs a lot more community discussion than notes
buried in a boilerplate, lightly reviewed, niche document.

I think that change would be a bad idea, but if the community wants the
change and follows the rules to publish the change, go for it.

Later, Mike

Ps - let me be clear - I don’t think anyone was trying to sneak around, and
I believe the good faith explanations about the process, but still this
rfc8447 avoided community review of a topic that should have gotten a lot
more sunshine.

>
> S.
>

v2.23.0 | Report a Bug | By Email