IETF Logo Mail Archive

Re: [saag] SSH & Ntruprime

Orie Steele <orie@transmute.industries> Mon, 25 March 2024 15:28 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC026C14F6B6 for <saag@ietfa.amsl.com>; Mon, 25 Mar 2024 08:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.086
X-Spam-Level:
X-Spam-Status: No, score=-7.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rtdOWm3Ubj1F for <saag@ietfa.amsl.com>; Mon, 25 Mar 2024 08:28:24 -0700 (PDT)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55309C14CE44 for <saag@ietf.org>; Mon, 25 Mar 2024 08:28:13 -0700 (PDT)
Received: by mail-pj1-x102b.google.com with SMTP id 98e67ed59e1d1-29dfad24f36so2998206a91.0 for <saag@ietf.org>; Mon, 25 Mar 2024 08:28:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1711380492; x=1711985292; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=L5/93eDZf3SIQbrlYWGXCB9YHwtDxtredIfz4c2SdXQ=; b=jzGBFk3HKgn+v1/Eh4JPyLdJGZ8Nj63OC/MOhWy/VkD+jY6gEH8JhEUj9Ss8L6NOOY bx7EYwQkH1fe0UIcNKMGNsyiehOPSceis4nm88jgoZ3GaEyiUq6CPrMn8S7XDfJUNT6+ n2lcChFzMlNsXjTSpRFxtH8WJ2t7xuur2Ch/ULyi0JyH+pcc2OXSHI+OzmeoOxaqoB+q LwFZSKGhq0JTU6wbXGW8D4EKKqTaOVyOUJ0yKLIrVIBm2/EM30TroiyssJUJMAEvyq5S YBDuPqD9btoS0Fc+7iMGaz0C4XwBt80VSIiF6DXPX1p8HNWWXeJ2J9Slg24lVdPOmfl1 rBbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711380492; x=1711985292; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=L5/93eDZf3SIQbrlYWGXCB9YHwtDxtredIfz4c2SdXQ=; b=m8upeyRCz2VloCsPRqfuWMRHbnXXm0Yz4MVUKaphJB9CNork2yuw0WMegGlRHxxapE mVZAzS7OM+vIj55FUwbNMc+lgeotPA11iBbSIfq3yslW+LdLgMkSQ41doOdjB0BqM/rn rGMvMhcN3yC8CkX0YkD/e6Bv48R6xnldP/McWyEOW5o8Hz1gLdwSBq3IPP2CUb13cAQa pmvnLIX2fjJRklKlGfMzgxBXPotoEc5saB8sg+vuwrBrfWgGMPL0FbihUyosmqVDcZ+n ieG92VyDLl0IwLMpaJyjbqW0yDEuFpbMYmidYPKUwofZJ2BGSoPhTH4nT16AVm5e2qRQ DAVg==
X-Forwarded-Encrypted: i=1; AJvYcCVlazOYoJGvsqG8lifdmHU4sghUdHJ5oSXz/LKjxWKkEoD/100d5TgyLcikyVj5Gd1pyGc4uIkNZ5gzlQJp
X-Gm-Message-State: AOJu0YxettUuBp63ptJax6IZ69hT6Ed3RuH6x6u+rl1oOFo1cENDdHLS vhluZrbdnc2NXamKBr0LFUjcRvOAf8OaNSPHrTn0huXDC1oTVYMWs8BQqMjCvoWlNuYxtyDryfa bbynZsECPnFktFBy/igLs5imUalOCMcsD2sEYJ7vSSBcjImSY2Rw=
X-Google-Smtp-Source: AGHT+IGMBgBqUTzgx3Nh/o5b3rkrg9ZbS3BQXAkNW44Asm7ztjNU5YsjSGUbXzU8eJkE9x0qG8lm23AEJLVDLuJZczY=
X-Received: by 2002:a17:90a:bd0c:b0:29c:74a4:72b3 with SMTP id y12-20020a17090abd0c00b0029c74a472b3mr5213165pjr.8.1711380492014; Mon, 25 Mar 2024 08:28:12 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPWjXvLh06-DBO3Z0sfeb2hgzqzaSZ-J2-TZ7qesrSraA@mail.gmail.com> <D0CD341B-523B-48A0-8954-EE7F89113241@aiven.io> <AF7B6F32-9EE6-4810-A99A-833DEA917FA9@sonic.net> <CABcZeBPfXQckpZageogUxTYgX2j_Nr_O3bvf-a-x0S_82BHMxg@mail.gmail.com> <079A0AA3-FA02-440F-ABA0-6AF897570E86@sonic.net> <CABcZeBOxfYR+=61DV1XN0F9nrmbzLR2zq_ZvADw4UUy1uFafzw@mail.gmail.com> <8caa2d4d-bc80-4fcf-b8bc-839052371730@lear.ch> <CABcZeBMABJ89T0qY0-9C3xxd=mFfGyCh7_9GKbEUBm6JtR+_ng@mail.gmail.com> <6c491f5c-92da-4fb3-a8b1-da1de27b36a6@lear.ch> <CABcZeBN1w0QU6ug3LcMwC+hTMA_-iOs32FkZe+gpPuFrp1y+JA@mail.gmail.com> <64e81f68-5169-4469-b5a0-2851da912091@lear.ch> <CABcZeBOLKMJb5pw59J072FsfeMFcoz1eZYxa1qpXDLW0nAU0cg@mail.gmail.com> <7b4d38b8-b4c1-412b-8287-bd44d0c512a3@lear.ch> <CABcZeBOQYp49i_JjE7vdg6AjxwyvktW7LFTJ4Mh3jt0bmxxxDQ@mail.gmail.com>
In-Reply-To: <CABcZeBOQYp49i_JjE7vdg6AjxwyvktW7LFTJ4Mh3jt0bmxxxDQ@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 25 Mar 2024 08:28:00 -0700
Message-ID: <CAN8C-_+QUpU2bTeSFmLB7v1qLirTXtypR2U7D54JeEaeKfSp+Q@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Eliot Lear <lear@lear.ch>, saag <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004d79b906147dd272"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/U9T3gsYJkgAWManBhevbKSxca0Y>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 15:28:28 -0000

> Internet-Drafts (often referred to simply as "drafts") have no formal
status, and are subject to change or removal at any time; therefore they
should not be cited or quoted in any formal document.

https://www.ietf.org/how/ids/

Sure a specific version won't change, but we have no assurance that newer
versions won't be intentionally crippled by authors, and no assurance that
implementers won't assume the latest version isn't the correct one to
implement... (developers are conditioned to believe that the latest version
addresses security issues).

- https://snyk.io/blog/open-source-npm-packages-colors-faker/
- leftpad... etc...

If the draft is later updated to cripple implementations, it will be the
IETF, not the authors that will be blamed for the resulting damage.

In the long term, this will harm the reputation of the IETF, and I doubt we
will convince developers it's the authors fault, since we are the ones
hosting their drafts.

OS


On Mon, Mar 25, 2024 at 7:36 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Mon, Mar 25, 2024 at 7:25 AM Eliot Lear <lear@lear.ch> wrote:
>
>> Eric,
>>
>> On 25.03.2024 15:23, Eric Rescorla wrote:
>> > Why does it make sense to require some third party to host a spec with
>> > unclear stability properties when we already have a way of hosting
>> > with clear stability properties?
>>
>> I'm not requiring anything, but you and I are disagreeing about the
>> stability properties of drafts.
>>
>
> I'm not sure what you think that disagreement is about, as those
> properties are quite clear:
>
> 1. Any individual draft version doesn't change.
> 2. Whether subsequent versions are issued or are different is up to the
> authors, but it's visible when it happens because the version increments.
>
> The properties of a document hosted on someone's web site are that it can
> be changed at any time and those changes may or may not be visible. Why do
> you think this is more stable?
>
> -Ekr
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email