IETF Logo Mail Archive

Re: [saag] SSH & Ntruprime

Simon Josefsson <simon@josefsson.org> Wed, 10 April 2024 09:21 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C11DC14CEFE; Wed, 10 Apr 2024 02:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="GKRp6MAW"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="I2GnomcU"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okil2vIARxXH; Wed, 10 Apr 2024 02:21:49 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D9BEC14F61C; Wed, 10 Apr 2024 02:21:47 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=2mwWk/z77HbeDWxjdBgu9DbZONGo58srer4e6vJuThU=; t=1712740894; x=1713950494; b=GKRp6MAWsAS2XwnoEVs86EeVkh9QhEejANdIvQUW3hykPA2/EZ3AdRf0jtf4uFEVXqieYPa8JuB s+0VC4ROEAA==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=2mwWk/z77HbeDWxjdBgu9DbZONGo58srer4e6vJuThU=; t=1712740894; x=1713950494; b=I2GnomcUYM/2vPSbM0fWjdG4F8Rz08A5TdK2vEdHJUXt07cjukrVzUW/zptWCOVzvQweUTFTRLr wv+8FU4oQTmrNEJHjaE72Zv5EqC0DOv4efQHyOE/T/G3f5kxHlMqNpQQRvZc0F509RM1XlFHr9Wbf lGBN3nUMbKUCI5NEWDfBLUU0QsvUlsNUmelrWLkHWrimX8yfHV8fbsQ7qyGK4JhuGXXPNh3O60B+9 tBRYBlngW7kOqyu6Wj3fq62Od/0/c6jpRVIZbEsPtlbKXqPIMMVyE5p7iSBhO0fHcoo0RWMU4jADs iBxCaY8srnXLSMXq6cvU923AZGv/hs7VpjuWxXJWnArQNGxqxfqMfsUBe0d8njxLlogMDe1bzmRZD UMOgS5Dv1sPW1VBcPc5gGb/1I6fiNQ5XxWMCCgwqItoY9nUw9UU2JBjqPMMhzCxZA9UpzRXFT;
Received: from [2001:9b1:41ac:ff00:823f:5dff:fe09:16ac] (port=52210 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1ruU96-00FdBQ-8R; Wed, 10 Apr 2024 09:21:32 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Cc: saag@ietf.org
References: <05D73B77-ECFB-43E9-A2A8-00D46F63FC32@aiven.io> <20240405162821.1801419.qmail@cr.yp.to> <CAGL5yWaJXRDyiQ=w2XJcoFhCQ3JDriqO+jAcOKz7J4kW2PY=uw@mail.gmail.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240410:paul.wouters=40aiven.io@dmarc.ietf.org::Q0lwq3uNRV+JMwcH:0p2/
X-Hashcash: 1:23:240410:saag@ietf.org::jXkSnaLBWf8ER9Cc:z8zW
Date: Wed, 10 Apr 2024 11:20:51 +0200
In-Reply-To: <CAGL5yWaJXRDyiQ=w2XJcoFhCQ3JDriqO+jAcOKz7J4kW2PY=uw@mail.gmail.com> (Paul Wouters's message of "Tue, 9 Apr 2024 20:26:41 -0400")
Message-ID: <87o7ahzi8c.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/cnnl9cJnwJ31yPxq8CXuvl-9HWU>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 09:21:55 -0000

I think there are many orthogonal issues that are being discussed in a
conflated and heated way here.  Perhaps it will help to break them up
into some separate questions related to the document:

  1) Whether to add sntrup761x25519-sha512 to the IANA SSH "Key Exchange
     Method Names" registry.  Before RFC 9519 the policy for allocation
     was IETF Review, but is now Expert Review.  We endured a lengthy
     process getting RFC 8731 published, which covers a similar
     situation: OpenSSH led the way and moved to curve25519-sha256
     before the IETF wanted to touch anything related to Curve25519, and
     we came to the IETF asking to document a widely deployed protocol.
     This may have lead to the process changes in RFC 9519.

     IANA has already reviewed the registration request and indicated
     'IANA OK' and the IANA expert review state also says 'Expert
     Reviews OK'.  Feedback from document reviewers can be seen here:
     https://datatracker.ietf.org/doc/draft-josefsson-ntruprime-ssh/

     The mailing list indicated in RFC 9519 does not work, so the
     process to follow the current registration procedure is broken.  I
     escalated this back in January but no change so far.

     As far as I can tell, the expert review process is less about value
     judgement on particular algorithms/protocols and more about
     following due process and that the namespace doesn't become crowded
     (it is infinite in this case).

  2) If the Internet community would benefit from having protocols
     widely deployed on the Internet in a stable document like an RFC.
     I find it surprising that people argue against this.  It may help
     re-visit the mission of the IETF is in the first place.  What
     benefit is there to not document a description of a protocol that
     is widely deployed?  It will make the IETF less relevant as a place
     where people go for documentation on Internet protocols.

  3) The standardization level of the proposed protocol.  The document
     is INFORMATIONAL and the implementation advice is MAY and has been
     so the entire time, merely because it is not proposed as a standard
     protocol.

  4) If sntrup761 is a good cryptographic algorithm.  I believe this
     question is irrelevant for the decision to publish a document.
     Certainly known facts should be covered in the Security
     Considerations section, and if you want to help improve the
     document, that would be appreciated.  As an illustration: if
     OpenSSL and Chrome deployed a TLS cipher suite "ROT13-no-MAC" and a
     significant portion of the Internet started to use it tomorrow, to
     me that suggests having documentation of that protocol as an RFC is
     beneficial to everyone so they can get interop working.  The
     Security Considerations could accurately describe what is currently
     known about the security of "ROT13-no-MAC", and using INFORMATION
     rather than STANDARDS TRACK seems appropriate.

     I think the Crypto Review Panel has a unclear charter and role in
     the IETF ecosystem, and that undue weight on one person's opinion
     is made here.  Is the role of the CRP part of any IETF process
     documents?  As far as I can tell, it has no decision making
     authority, but historically been a tool for the non-IETF CFRG WG.
     The panel could adopt a similar process as most IETF Area
     Directorates.  Compare how most SECDIR review are phrased: they
     evaluate things related to security and ask for those facts to be
     accurately covered by the document, which seems different in style
     compared to the review made here.  See
     https://wiki.ietf.org/group/secdir/SecDirReview

  5) Process issues regarding decision making.  The document was AD
     sponsored by Roman (on the recommendation from SECDISPATCH) and
     I've seen no decision from him to hand over AD-sponsorship to
     someone else or a decision to stop AD sponsor it.  Have I missed
     were that was published?  How are those two decisions regarded by
     IETF policys?

/Simon

v2.23.0 | Report a Bug | By Email