IETF Logo Mail Archive

Re: [saag] SSH & Ntruprime

Michael StJohns <msj@nthpermutation.com> Mon, 25 March 2024 17:40 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3769DC15198B for <saag@ietfa.amsl.com>; Mon, 25 Mar 2024 10:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.883
X-Spam-Level:
X-Spam-Status: No, score=-1.883 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XX92gNTrZ-1s for <saag@ietfa.amsl.com>; Mon, 25 Mar 2024 10:40:25 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EBE4C1519B8 for <saag@ietf.org>; Mon, 25 Mar 2024 10:40:19 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-430b870163eso52778791cf.1 for <saag@ietf.org>; Mon, 25 Mar 2024 10:40:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1711388418; x=1711993218; darn=ietf.org; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=P4hiQ89mUu+TKWshAQzb7xu7zE53cVIfDRvqQAcnB7k=; b=uLIHrCIbQNcde7OZFk+VkHBuuBkBN0FejEwdmky9WQ7gcg5AQ4zz/YWt1KTSachnfj WHxCnZlyqzlOPAz0NheCpJJOwq11YPbaSI7xekHuYgM1BMssEfrYvVpAgXKSsnw5sYVo gtZ9EWMHBTH4tqGcDG928/Gl5r+D2uDIn0bOFbJqPgxOJEUkhxIzD/ZWO9pmYuhhCK9V 0vgLeNSSpQEUahwPfBk1N+/kHG40kt0deQHRtFloD6ykXnW/7XqUPr8PmC1UyYOnhsa7 vIWlYg0FS1ot2ys5zPh5FOgjJR/CbUE795wazZx9RpRfd6CbsR7kO2+K01ynPctDIyfX 1YFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711388418; x=1711993218; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=P4hiQ89mUu+TKWshAQzb7xu7zE53cVIfDRvqQAcnB7k=; b=fHhlqhOzLtrqN864mG5R/hwd0kbf60DzibOU6WR46EhhqGJ2+UvV8v0L49ShOneUF/ a2bJK2uvhnfQ2Ep5Su+c91YMjqMkR1dWUIwueCtytkxyaSwH+xf0rnTYISF7LlKvzmnp Mf9rxb07KesKjhFp6yw1khKXmpy0g+ym2eKUHLwNGCGWuMg+S05ljgDX1DF51Srlgnue 2FhSeWAAk+m1OpxjcD4ib1F7IJdTziR7r6eVZHivGBI4Zs6DruheFbZiNpbzWKiIzZTo 465ryS2qHNr/MNCn4lgoUsTd/5i2PqRA0rH2CX7XSiBaZjH2Ivx3gouB/2ZlvMpyg1Ev QHgw==
X-Gm-Message-State: AOJu0Yy1b2hHNyYlAYBc+Jih92qXl5NQFXSXAPIVeQpqbQqDsR02RT4r UKXe5DVaYSUAxc/rd6bXhHH0vjSheT2WEtwPMKa8bcxL08WOIqdp4VZlCe40dow=
X-Google-Smtp-Source: AGHT+IF/OQHN4RpzGm/6C7XCD6tsp7W/pRKQ1FiJrJpG2WU7pKKewWl6n0KYAcinyuWSf1aTojXN+A==
X-Received: by 2002:a05:6214:2249:b0:691:15c4:7983 with SMTP id c9-20020a056214224900b0069115c47983mr12880978qvc.0.1711388418179; Mon, 25 Mar 2024 10:40:18 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id gf15-20020a056214250f00b006912014b98dsm4283476qvb.129.2024.03.25.10.40.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Mar 2024 10:40:17 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------NBTpuqoz0Z3UOqQGxT4H9gJk"
Message-ID: <180b6873-d917-4a6f-9fa7-b174e0afae66@nthpermutation.com>
Date: Mon, 25 Mar 2024 13:40:15 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Orie Steele <orie@transmute.industries>, Eric Rescorla <ekr@rtfm.com>
Cc: saag@ietf.org
References: <CABcZeBPWjXvLh06-DBO3Z0sfeb2hgzqzaSZ-J2-TZ7qesrSraA@mail.gmail.com> <079A0AA3-FA02-440F-ABA0-6AF897570E86@sonic.net> <CABcZeBOxfYR+=61DV1XN0F9nrmbzLR2zq_ZvADw4UUy1uFafzw@mail.gmail.com> <8caa2d4d-bc80-4fcf-b8bc-839052371730@lear.ch> <CABcZeBMABJ89T0qY0-9C3xxd=mFfGyCh7_9GKbEUBm6JtR+_ng@mail.gmail.com> <6c491f5c-92da-4fb3-a8b1-da1de27b36a6@lear.ch> <CABcZeBN1w0QU6ug3LcMwC+hTMA_-iOs32FkZe+gpPuFrp1y+JA@mail.gmail.com> <64e81f68-5169-4469-b5a0-2851da912091@lear.ch> <CABcZeBOLKMJb5pw59J072FsfeMFcoz1eZYxa1qpXDLW0nAU0cg@mail.gmail.com> <7b4d38b8-b4c1-412b-8287-bd44d0c512a3@lear.ch> <CABcZeBOQYp49i_JjE7vdg6AjxwyvktW7LFTJ4Mh3jt0bmxxxDQ@mail.gmail.com> <CAN8C-_+QUpU2bTeSFmLB7v1qLirTXtypR2U7D54JeEaeKfSp+Q@mail.gmail.com> <CABcZeBNtE6PtEdmh-2rTC5y9U7yEL8JVNo1HMjZtOQw-DHjXQQ@mail.gmail.com> <88a1bb16-b0ef-49b3-a661-c343b4faa7a9@nthpermutation.com> <CABcZeBOo7e=jgrkMa4iXYy-x_2o6eZjTpEyezQiu7AKHk4ZhFQ@mail.gmail.com> <CAN8C-_JKbJLB6EU+8zUoeUgYVMkR4ErkSdpvuzr4LYoNcRKccA@mail.gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <CAN8C-_JKbJLB6EU+8zUoeUgYVMkR4ErkSdpvuzr4LYoNcRKccA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/bcRLbtOLXr3-3UIYkxkL6Wns_W4>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 17:40:29 -0000

On 3/25/2024 12:52 PM, Orie Steele wrote:
> https://www.rfc-editor.org/rfc/rfc8126#section-4.6
>
> Makes it clear, the expert could decide to accept anything they are 
> directed to accept.
>
> In absence of guidance NOT to accept IDs, I would assert its at the 
> discretion of the expert, and can readily cite examples in the wild, 
> where specification required was satisfied with IDs, for example:
>
> https://www.iana.org/assignments/hpke/hpke.xhtml
> https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/02/
>
> If the draft above is ever updated to use a "generic kem combiner" the 
> code point for the -02 will need to be abandoned and a new one will 
> need to be assigned.
>
> Of course the same thing could happen if the reference were a github 
> readme at a specific commit.
>
> Probably no need to ask IANA, see this recent reply:
>
> https://mailarchive.ietf.org/arch/msg/kitten/nKpKSY9Lo9gL2rTju1xDqGFwbCo/
>
> All this aside, it's still my opinion that it's not a good thing to 
> encourage DE's to accept IDs, and if given the choice of specification 
> required and a link to a github repo (which can be deleted at any 
> time), and specification required with a link to an ID (which can be 
> deleted at any time)... I still prefer the external link, because it 
> does not create quality confusion regarding IETF documents... But I'll 
> concede my objection is more based on optics than deviation from process.
>
> OS

Hi Orie -

Let me bring your attention to the fact that if the assignment to this 
draft had been made around the time of RFC447, the link in the registry 
probably would now be wrong.  Sometime in recent history, we completely 
restructured the IETF website and the tools/datatracker sections and 
broke a lot of links - including I believe the ID links. For the 
purposes of datatracker, RFCDIFF and IPR related to ID's, this wasn't a 
problem, because the tools themselves were updated to point to the right 
places.

The IANA seems to have recognized this as they copy the current ID over 
to the IANA website. 
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids 
numbers 60 and 61.  ID 60 references 
https://www.iana.org/go/draft-pismenny-tls-dtls-plaintext-sequence-number-01. 
However, looking at 
https://datatracker.ietf.org/doc/draft-pismenny-tls-dtls-plaintext-sequence-number/ 
There is now an 02 draft. *_Which is the proper reference for ID 60?_*

Has the IETF committed itself - through an actual public discussion - of 
making the IDs archival? Keeping them online - yes.  Keeping them at a 
fixed URL, I think not and I think RFC8447 was a mistake.  Referencing 
RFC8477 as precedent for Murray's question seems problematic.

I'd recommend revoking the notes on the existing registries that allow 
references to IDs. And, going forward, request the  IESG refrain from 
approving any further notes similar to those on RFC8447 until there's an 
actual consensus and a plan to support "archivalness" of the ID series 
(e.g. with a fixed URL and with a firm requirement that closes the path 
of updating the ID).

Later, Mike



>
>
> On Mon, Mar 25, 2024 at 9:26 AM Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
>     On Mon, Mar 25, 2024 at 9:22 AM Michael StJohns
>     <msj@nthpermutation.com> wrote:
>
>         Trimmed.
>
>         On 3/25/2024 12:06 PM, Eric Rescorla wrote:
>>
>>
>>         On Mon, Mar 25, 2024 at 8:28 AM Orie Steele
>>         <orie@transmute.industries>
>>         <mailto:orie@transmute.industries> wrote:
>>
>>             > Internet-Drafts (often referred to simply as "drafts")
>>             have no formal status, and are subject to change or
>>             removal at any time; therefore they should not be cited
>>             or quoted in any formal document.
>>             we are the ones hosting their drafts.
>>
>>
>>         Yeah, this seems pretty speculative.
>>
>>         Fortunately, we have a natural experiment here, because RFC
>>         8446 explicitly allows the registration of TLS code points
>>         based on I-Ds, so in five years I guess we can see how that
>>         worked.
>>
>>         -Ekr
>>
>         Hi -
>
>         I just took a look at RFC8446 and I can't find support for
>         that claim.
>
>     My mistake, it's 8447. Muscle memory took over there.
>
>     See https://www.rfc-editor.org/rfc/rfc8447#section-7
>
>     -Ekr
>
>
>         The IANA considerations section refers to RFC8126 and only
>         "Specification Required" or "Standards Action" as the path to
>         registration.   Searching for "ID", "I-D", "internet draft"
>         and "Internet-Draft" doesn't get me anything.
>
>         AFAIK, "Specification Required" as defined in 8126 does not
>         include Internet Drafts, even under the heading of "informal
>         documentation" .  Maybe time to ask the IANA?
>
>         Later, Mike
>
>         _______________________________________________
>         saag mailing list
>         saag@ietf.org
>         https://www.ietf.org/mailman/listinfo/saag
>
>     _______________________________________________
>     saag mailing list
>     saag@ietf.org
>     https://www.ietf.org/mailman/listinfo/saag
>
>
>
> -- 
>
>
> ORIE STEELEChief Technology Officerwww.transmute.industries
>
> <https://transmute.industries>
>

v2.23.0 | Report a Bug | By Email