IETF Logo Mail Archive

[saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt

Paul Wouters <paul.wouters@aiven.io> Thu, 28 November 2024 22:58 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AD73C14F713 for <saag@ietfa.amsl.com>; Thu, 28 Nov 2024 14:58:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qz_gxkWopUAF for <saag@ietfa.amsl.com>; Thu, 28 Nov 2024 14:58:39 -0800 (PST)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 987FDC15109A for <saag@ietf.org>; Thu, 28 Nov 2024 14:58:39 -0800 (PST)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-5cfaeed515bso1453511a12.1 for <saag@ietf.org>; Thu, 28 Nov 2024 14:58:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1732834718; x=1733439518; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nhRfqWNmWH2Y4FcRM77Fgr4Rezqg8yLOYZt9iyu1BKg=; b=Y077EG7saJU/RNeIKUeWD4HWE+vDcyvYKzgG+gzybgK2k+5n/hlht1a11gJkBSH6lm GpfOiddIMb90GYUU0XmSNq2Ft+q7IFjpTYmeBjvpZ/A/rs/dCoJUHaxzgq0ogGIK9pHb d7rv62s6UAI31yfXy3hs93AtWuoaNRPKDWqeY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732834718; x=1733439518; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nhRfqWNmWH2Y4FcRM77Fgr4Rezqg8yLOYZt9iyu1BKg=; b=ZjjBWqW4IBFhNDKNVMPSw8Inop/M/hNnLUwhWjLGIPDberjjZIcnKHZn8EicEl/1Jr 7iY5EadJ+eeY2S8T3pqPfv472jYeqY63FuBpKRVpkJrce/OeugrKfygWFCvrF1JWDgbr xCAQFjPnF6E4Glukvf0e/cFeHC1QYVi31UqQMfhwZMkvZiuUmjxaFLElNbn29p2TuLFa 5JxWY6DZ8sTcNY9utmjNMumJz/k2m7VHOrO1opWkhFN7ZfBYjL8FddfBkHLNNf5uLFg0 jLMib2RdNfHnQJbF99jEYukG+fbfVFAOdH1NmVbykgARJqpc8X2gBPAQc08nO2pBpRVR 9XJw==
X-Forwarded-Encrypted: i=1; AJvYcCVO6hUx7joWiQ5Su8ThXRFveQBxUWwJPfvNBMkROJPvAUz+n/+Rv1uiIPE1mZXFmTHob0Hu@ietf.org
X-Gm-Message-State: AOJu0YwtbPoHEQKUPOzBSeGr/ZGke7JFOD9C3b1PgywfUJdZX90iMKfH ire1WUywtaCzxI7yk9LIZcBpnnd0lCp9p60LLCcf4ULD60cH9hWSTVtU//ADNWaCAL1sW2EzF5H eEbcvdXHTMz/PzntXBcVF9gDW5xyP+2v/YftPRA==
X-Gm-Gg: ASbGncumBm/s6jn04M2o4X0ho+RprOOCOmvxiP480xtZj5cztE47yGAOWX/numsBGE9 j4XBf4N2ycp6r7JC57J/HdXvgk2L5ow==
X-Google-Smtp-Source: AGHT+IE8D4GEgI7z5mYEGCS5Cqechr6E56vPqT74upeSu3Z8nF7NNijNe5md2rp5wqcU/xihQlY46J9YWG94ar//yT0=
X-Received: by 2002:a05:6402:2116:b0:5cf:eaf7:2776 with SMTP id 4fb4d7f45d1cf-5d080b8ca0cmr9542485a12.7.1732834718150; Thu, 28 Nov 2024 14:58:38 -0800 (PST)
MIME-Version: 1.0
References: <BE95E617-C929-43BA-BB40-41E189A8158B@akamai.com> <87ldxl5zp9.fsf@kaka.sjd.se> <26424.40383.605711.370013@fireball.acr.fi> <71bcb4f8-e147-a6cb-3c67-b6daef61f309@mindrot.org> <26439.33533.129915.244853@fireball.acr.fi> <SY8P300MB0711C796AB6095C788556516EE292@SY8P300MB0711.AUSP300.PROD.OUTLOOK.COM> <15450.1732763286@obiwan.sandelman.ca> <3029EB03-6E7A-47CB-9682-F511CB51EE17@akamai.com> <10065.1732826193@obiwan.sandelman.ca> <CACsn0cmWVeFdJ3dzMj5SV4XpJF4rssULtfQ1moeefoq-Evhk=g@mail.gmail.com>
In-Reply-To: <CACsn0cmWVeFdJ3dzMj5SV4XpJF4rssULtfQ1moeefoq-Evhk=g@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Thu, 28 Nov 2024 17:57:59 -0500
Message-ID: <CAGL5yWb=tLvMOYFKT3ffVbcy7BAD=i4B0VHEUdkvwRvZ3X3Bsw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000d4da920628010548"
Message-ID-Hash: MNKKZBU5EB7HCE5WXLLPSTIQPBVB7GJR
X-Message-ID-Hash: MNKKZBU5EB7HCE5WXLLPSTIQPBVB7GJR
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Tero Kivinen <kivinen@iki.fi>, Damien Miller <djm@mindrot.org>, Simon Josefsson <simon@josefsson.org>, IETF SAAG <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Vgu6qH1SEQIym879WExaTx3PmSU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

On Thu, Nov 28, 2024 at 4:32 PM Watson Ladd <watsonbladd@gmail.com> wrote:

>
>> Maybe, but Peter's complaint is that OpenSSH sets defacto "standards"
>>
>
> As opposed to?
>

IKEv2 and IPsec with RFC 8221/8284 provides recommendations for
implementers that usually translate with some delay to defaults.

TLS with RECOMMENDED  provides recommendations for implementers that
usually translate with some delay to defaults. Such as recommending only
AEADs for TLS 1.2, not using 1.0/1.1, etc.

OpenPGP RFC 8590 recommending which algorithms to no longer use for new
encryption (and keep support for old algos to be able to read old encrypred
files/email)

DNSSEC recommends algorithms via RFC 8624, separate for signing/producing
and verifying/consuming to provide for facilitating a long tail. This took
some time and discussion because people did have different opinions (eg it
was decided SHA1 couldn't be fully kicked at the time because it was still
too much in use)

For SSH we never had that because the SSH community and the IETF broke
apart in the 90s. Now with the SSHM WG we are trying to amend that, which I
guess comes with difficulties and 20 years of fork'ed opinions.


> If you want running code out there that's what happens
>

I don't understand this sentence. We have plenty of running code with
options not dictated by one implementation.

Paul

v2.29.0 | Report a Bug | By Email | System Status