Re: [saag] SSH & Ntruprime
Simon Josefsson <simon@josefsson.org> Wed, 10 April 2024 09:21 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C11DC14CEFE; Wed, 10 Apr 2024 02:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="GKRp6MAW"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="I2GnomcU"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okil2vIARxXH; Wed, 10 Apr 2024 02:21:49 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D9BEC14F61C; Wed, 10 Apr 2024 02:21:47 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=2mwWk/z77HbeDWxjdBgu9DbZONGo58srer4e6vJuThU=; t=1712740894; x=1713950494; b=GKRp6MAWsAS2XwnoEVs86EeVkh9QhEejANdIvQUW3hykPA2/EZ3AdRf0jtf4uFEVXqieYPa8JuB s+0VC4ROEAA==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=2mwWk/z77HbeDWxjdBgu9DbZONGo58srer4e6vJuThU=; t=1712740894; x=1713950494; b=I2GnomcUYM/2vPSbM0fWjdG4F8Rz08A5TdK2vEdHJUXt07cjukrVzUW/zptWCOVzvQweUTFTRLr wv+8FU4oQTmrNEJHjaE72Zv5EqC0DOv4efQHyOE/T/G3f5kxHlMqNpQQRvZc0F509RM1XlFHr9Wbf lGBN3nUMbKUCI5NEWDfBLUU0QsvUlsNUmelrWLkHWrimX8yfHV8fbsQ7qyGK4JhuGXXPNh3O60B+9 tBRYBlngW7kOqyu6Wj3fq62Od/0/c6jpRVIZbEsPtlbKXqPIMMVyE5p7iSBhO0fHcoo0RWMU4jADs iBxCaY8srnXLSMXq6cvU923AZGv/hs7VpjuWxXJWnArQNGxqxfqMfsUBe0d8njxLlogMDe1bzmRZD UMOgS5Dv1sPW1VBcPc5gGb/1I6fiNQ5XxWMCCgwqItoY9nUw9UU2JBjqPMMhzCxZA9UpzRXFT;
Received: from [2001:9b1:41ac:ff00:823f:5dff:fe09:16ac] (port=52210 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1ruU96-00FdBQ-8R; Wed, 10 Apr 2024 09:21:32 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Cc: saag@ietf.org
References: <05D73B77-ECFB-43E9-A2A8-00D46F63FC32@aiven.io> <20240405162821.1801419.qmail@cr.yp.to> <CAGL5yWaJXRDyiQ=w2XJcoFhCQ3JDriqO+jAcOKz7J4kW2PY=uw@mail.gmail.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240410:paul.wouters=40aiven.io@dmarc.ietf.org::Q0lwq3uNRV+JMwcH:0p2/
X-Hashcash: 1:23:240410:saag@ietf.org::jXkSnaLBWf8ER9Cc:z8zW
Date: Wed, 10 Apr 2024 11:20:51 +0200
In-Reply-To: <CAGL5yWaJXRDyiQ=w2XJcoFhCQ3JDriqO+jAcOKz7J4kW2PY=uw@mail.gmail.com> (Paul Wouters's message of "Tue, 9 Apr 2024 20:26:41 -0400")
Message-ID: <87o7ahzi8c.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/cnnl9cJnwJ31yPxq8CXuvl-9HWU>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 09:21:55 -0000
I think there are many orthogonal issues that are being discussed in a conflated and heated way here. Perhaps it will help to break them up into some separate questions related to the document: 1) Whether to add sntrup761x25519-sha512 to the IANA SSH "Key Exchange Method Names" registry. Before RFC 9519 the policy for allocation was IETF Review, but is now Expert Review. We endured a lengthy process getting RFC 8731 published, which covers a similar situation: OpenSSH led the way and moved to curve25519-sha256 before the IETF wanted to touch anything related to Curve25519, and we came to the IETF asking to document a widely deployed protocol. This may have lead to the process changes in RFC 9519. IANA has already reviewed the registration request and indicated 'IANA OK' and the IANA expert review state also says 'Expert Reviews OK'. Feedback from document reviewers can be seen here: https://datatracker.ietf.org/doc/draft-josefsson-ntruprime-ssh/ The mailing list indicated in RFC 9519 does not work, so the process to follow the current registration procedure is broken. I escalated this back in January but no change so far. As far as I can tell, the expert review process is less about value judgement on particular algorithms/protocols and more about following due process and that the namespace doesn't become crowded (it is infinite in this case). 2) If the Internet community would benefit from having protocols widely deployed on the Internet in a stable document like an RFC. I find it surprising that people argue against this. It may help re-visit the mission of the IETF is in the first place. What benefit is there to not document a description of a protocol that is widely deployed? It will make the IETF less relevant as a place where people go for documentation on Internet protocols. 3) The standardization level of the proposed protocol. The document is INFORMATIONAL and the implementation advice is MAY and has been so the entire time, merely because it is not proposed as a standard protocol. 4) If sntrup761 is a good cryptographic algorithm. I believe this question is irrelevant for the decision to publish a document. Certainly known facts should be covered in the Security Considerations section, and if you want to help improve the document, that would be appreciated. As an illustration: if OpenSSL and Chrome deployed a TLS cipher suite "ROT13-no-MAC" and a significant portion of the Internet started to use it tomorrow, to me that suggests having documentation of that protocol as an RFC is beneficial to everyone so they can get interop working. The Security Considerations could accurately describe what is currently known about the security of "ROT13-no-MAC", and using INFORMATION rather than STANDARDS TRACK seems appropriate. I think the Crypto Review Panel has a unclear charter and role in the IETF ecosystem, and that undue weight on one person's opinion is made here. Is the role of the CRP part of any IETF process documents? As far as I can tell, it has no decision making authority, but historically been a tool for the non-IETF CFRG WG. The panel could adopt a similar process as most IETF Area Directorates. Compare how most SECDIR review are phrased: they evaluate things related to security and ask for those facts to be accurately covered by the document, which seems different in style compared to the review made here. See https://wiki.ietf.org/group/secdir/SecDirReview 5) Process issues regarding decision making. The document was AD sponsored by Roman (on the recommendation from SECDISPATCH) and I've seen no decision from him to hand over AD-sponsorship to someone else or a decision to stop AD sponsor it. Have I missed were that was published? How are those two decisions regarded by IETF policys? /Simon
- [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Harry Halpin
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Jan-Frederik Rieckers
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Melinda Shore
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Ira McDonald
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Christian Huitema
- Re: [saag] SSH & Ntruprime Russ Housley
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Mark Baushke (ietf)
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime StJohns, Michael
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Deb Cooley
- Re: [saag] SSH & Ntruprime Christian Huitema
- Re: [saag] SSH & Ntruprime Simon Josefsson