IETF Logo Mail Archive

Re: [saag] SSH & Ntruprime

Eric Rescorla <ekr@rtfm.com> Thu, 11 April 2024 02:28 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53FDFC14F600 for <saag@ietfa.amsl.com>; Wed, 10 Apr 2024 19:28:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcdF-mwwLede for <saag@ietfa.amsl.com>; Wed, 10 Apr 2024 19:28:23 -0700 (PDT)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F60FC14F5F4 for <saag@ietf.org>; Wed, 10 Apr 2024 19:28:23 -0700 (PDT)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-6157c30fbc9so71064967b3.0 for <saag@ietf.org>; Wed, 10 Apr 2024 19:28:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1712802502; x=1713407302; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PnwO0MC/McyRrTQPgAiNX7ptXxR5y6SBEO0mFqYAn+s=; b=0iWh5sRLo+v87zUVahYdWX0kBXus9jGBeqkqffB68pUEWayomQgdra1TV3s65gHpGo lXjDSTQHgR071OCQZk0Y4NbotQEhyiEmeFo67lt97RROfZlAl5OkUc88SZhONQYWtzqa kSO+cS/cQ9+adO6wxPMKbqfJLB7w4VSS77DSYdfzbjKDUsWf9A3Z7L3Vpv7dYwVImzji xTjUMzrzLmTZcDgeWxVBaf6ORpWq4k5vmj+XZ0B8m4tpOtNbo/uJKTELav9/XXK8WJ53 aeSbQEcX3UFeTuMsvinNEc6Ssy9LtIf5x11wA0ASXAwDk0OuO1Gilf/O8Hu9BhDpth+T JgDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712802502; x=1713407302; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PnwO0MC/McyRrTQPgAiNX7ptXxR5y6SBEO0mFqYAn+s=; b=kXD+aZIyXJnEnalM1AIJ/NzL2tgOa6oaD58J4V/HyLyOlaNMpBkoQZomjSZ5pBF4qN M1/lLkQqFVIsJ4y9gqiNonorN6qViW2chLhGNC2phtr3timVdPiYvOrBJLnxmxZWtItS HYY8POSx8LwvUGha8JNKANFyzdwdVxpBl44xqn1Bs7vpQI9FlPjxBxBHXIoHC5mKtSXq Or0u/JgcNr8xaTbzTLNwpjzo5kr8wtDVbvIklLJny29XQauvMyvzy8eB+PBYuJq4lZBN Pb5GIZ0aIy3/lIJZaUtSoF0iBLVstPio5QAPUV+e6JE7v5mDONYU75wgVNjHvSlDesuv jsAw==
X-Gm-Message-State: AOJu0YxDha9utXVmNHn34VB+1c3nYhrx4CbbBo4U4Wmp4iiwmMjfaob/ jWUhZ2eRKGRRdLXdC7vFU1YECX3LjfigXC9XMhQ1NE66vtGAySATOXmtd8aXqPC7PZEoEEYhUHa P/jt1jswSaS7+NQf0pfTYidfMfI6NUCxbZoBfJ7aF09ZKSDByU7U=
X-Google-Smtp-Source: AGHT+IEtP2anHTN2A++6k/nkXbryPmiWJCeaMUBBEYHmbxkTGiBttDXjU0l+IfCriNzVJ4EgKavxKf555pCCcKnpGPQ=
X-Received: by 2002:a0d:e64a:0:b0:617:cb98:f9b2 with SMTP id p71-20020a0de64a000000b00617cb98f9b2mr4695931ywe.43.1712802502377; Wed, 10 Apr 2024 19:28:22 -0700 (PDT)
MIME-Version: 1.0
References: <05D73B77-ECFB-43E9-A2A8-00D46F63FC32@aiven.io> <20240405162821.1801419.qmail@cr.yp.to> <CAGL5yWaJXRDyiQ=w2XJcoFhCQ3JDriqO+jAcOKz7J4kW2PY=uw@mail.gmail.com> <87o7ahzi8c.fsf@kaka.sjd.se> <CABcZeBO-_k3pTsLAqOm3c5F8Cnbnd1mtdpuaoQicoCRBLPZLLg@mail.gmail.com> <d2bd2378-4de4-4426-b2f4-fbcff6de5d2a@cs.tcd.ie> <CABcZeBPtRoGg=diFd2MjRXn0SD+KMJSC65ROe55SpsdcLL_m_g@mail.gmail.com> <9da5e8a6-b329-41cd-89c1-4423f6739341@nthpermutation.com> <CABcZeBN-Oy-vG=VYwqAmd=Fi7AWyp1pQPnMQMhe0-EzOPZwrsQ@mail.gmail.com> <7127f31a-bb6f-467a-aa67-55b46e7f95f2@nthpermutation.com> <3bef7fff-6a84-42ba-a2ee-a5e6bd60c816@cs.tcd.ie> <CANeU+ZDvWWd+HmtXx=4x0zgO6FNfeqwzybU+jjVHzFWqkgz2Rg@mail.gmail.com>
In-Reply-To: <CANeU+ZDvWWd+HmtXx=4x0zgO6FNfeqwzybU+jjVHzFWqkgz2Rg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 10 Apr 2024 19:27:46 -0700
Message-ID: <CABcZeBPXDcq-hZnzqD0koFm+Hv130tHvYuWN4QHwmZWtj8-bBw@mail.gmail.com>
To: "StJohns, Michael" <msj@nthpermutation.com>
Cc: Security Area Advisory Group <saag@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000b9a6d90615c8e8c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/iupbmZgYwaALkKbp1LWEtqUPa7o>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 02:28:27 -0000

On Wed, Apr 10, 2024 at 7:05 PM StJohns, Michael <msj@nthpermutation.com>
wrote:

> On Wed, Apr 10, 2024 at 21:06 Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>
> I'll also note the title and content of 8447 says that it
>> applies to TLS and DTLS registries so I'm confused by any
>> argument that says that 8447 affects other protocols other
>> than in the abstract sense that it demonstrates a setup
>> that could in principle be copied.
>>
>> So, WRT this thread: IMO 8447 is fine, but that does not
>> mean everyone else needs to operate as if they're TLS,
>> and in particular, 8447 has zero implication for how best
>> to handle anything to do with SSH.
>>
>
> Yup. And had EKR not mentioned RFC8447 might be a good model for SSH
> earlier in this chain, I wouldn’t be saying anything now.
>

RFC 8447 aside, the text in RFC 9519 [0] appears to me to at least
implicitly permit registration without any IETF specification at
all. https://www.rfc-editor.org/rfc/rfc9519.html#section-3

  Expert Review [RFC8126] registry requests are registered after a
  three-week review period on the <ssh-reg-review@ietf.org> mailing
  list, and on the advice of one or more designated experts. However,
  to allow for the allocation of values prior to publication, the
  designated experts may approve registration once they are satisfied
  that such a specification will be published. Registration requests
  sent to the mailing list for review SHOULD use an appropriate
  subject (e.g., "Request to register value in SSH protocol parameters
  <specific parameter> registry").

The term "such specification" is ambiguous (and I don't see any other
text in 9519 about it) but here's RFC 8126 Expert Review says
about:

   For the Expert Review policy, review and approval by a designated
   expert (see Section 5) is required.  While this does not necessarily
   require formal documentation, information needs to be provided with
   the request for the designated expert to evaluate.  The registry's
   definition needs to make clear to registrants what information is
   necessary.

I don't know how the experts have been interpreting this text, but
I think it's at least arguable that this is consistent with having
a "specification" just exist somewhere, e.g., on someone's Web page.
It doesn't seem to require that it be stable, for instance.

-Ekr

v2.23.0 | Report a Bug | By Email