Re: [saag] Additions to RFC 3631?
Eliot Lear <lear@cisco.com> Mon, 21 May 2012 12:53 UTC
Return-Path: <lear@cisco.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D88021F8620 for <saag@ietfa.amsl.com>; Mon, 21 May 2012 05:53:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z3JyuZ6o19PV for <saag@ietfa.amsl.com>; Mon, 21 May 2012 05:53:35 -0700 (PDT)
Received: from ams-iport-3.cisco.com (ams-iport-3.cisco.com [144.254.224.146]) by ietfa.amsl.com (Postfix) with ESMTP id 74AA721F8613 for <saag@ietf.org>; Mon, 21 May 2012 05:53:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lear@cisco.com; l=1242; q=dns/txt; s=iport; t=1337604815; x=1338814415; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=R+4ANtftbR8NzU8/WGuwqDtwQYTXp2jXhMdbwi0q5vw=; b=aedEGNHEJ3CJLYhk2qpbVY8Azk7AE+jqeQevB8+zLWb7zFpDznkkDzD7 tGEZbu7yE2hZHaCmQBaR3hYVSNGoLTnRjjPWL/4FtCtrVJ7+/sRq6mNpn RHCAH6OcpVFaHtUlgGzqIyRv6WNXrfDRpEA6HBlSUs8gH8/BYId8yq6P+ U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAFACk6uk+Q/khM/2dsb2JhbABEhS2uU4EHghUBAQEEEgEQVQEQCxgCAgUWCwICCQMCAQIBRQYNAQcBAR6HbJ88jRSSSoEmjhiBFAOVG44MgWSCaw
X-IronPort-AV: E=Sophos;i="4.75,631,1330905600"; d="scan'208";a="4762369"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-3.cisco.com with ESMTP; 21 May 2012 12:53:31 +0000
Received: from dhcp-10-61-99-170.cisco.com (dhcp-10-61-99-170.cisco.com [10.61.99.170]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id q4LCrVfd009452; Mon, 21 May 2012 12:53:31 GMT
Message-ID: <4FBA3ACB.9030805@cisco.com>
Date: Mon, 21 May 2012 14:53:31 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mouse <mouse@Rodents-Montreal.ORG>
References: <300A2E9F-E99B-46FA-A101-E3611BD0D197@cs.columbia.edu> <201205190331.XAA28531@Sparkle.Rodents-Montreal.ORG> <4FB9FC4C.9010107@cisco.com> <201205210952.FAA14303@Sparkle.Rodents-Montreal.ORG>
In-Reply-To: <201205210952.FAA14303@Sparkle.Rodents-Montreal.ORG>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: saag@ietf.org
Subject: Re: [saag] Additions to RFC 3631?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2012 12:53:36 -0000
On 5/21/12 11:52 AM, Mouse wrote: >> How would you propose to handle the situation where an MTI algorithm >> is found to be vulnerable? > Disable it. > > That is to say, I would scrap the mandatory-to-implement part, not the > allow-disabling part. Besides, after technology has marched on for > five - or ten, or twenty - years, today's best is likely to look > utterly ludicrous. Time was, crypt(1) - a one-rotor Enigma machine, > basically - actually provided a useful level of security. Today, it's > what Schneier calls `kid sister' crypto, at best. Mandatory-to-offer > algorithms lead to forcing people to choose between ignoring the spec > and running grossly insecure algorithms, while allowing disabling of > mandatory-to-implement algorithms breaks most of the point of > mandatory-to-implement. > Thanks for this explanation. I wonder if there is a more nuanced way in which this could be handled. For instance, would it be possible for the IETF to keep a simple list of algorithms in order of preference, and deal with algorithm agility in that way? This presupposes that there is some uniformity in application requirements, or at least classes of applications that can be grouped... Eliot
- Re: [saag] Additions to RFC 3631? Yaron Sheffer
- Re: [saag] Additions to RFC 3631? Eliot Lear
- Re: [saag] Additions to RFC 3631? Mouse
- Re: [saag] Additions to RFC 3631? Simon Josefsson
- [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Mouse
- Re: [saag] Additions to RFC 3631? Simon Josefsson
- Re: [saag] Additions to RFC 3631? Stephen Farrell
- Re: [saag] Additions to RFC 3631? Yaron Sheffer
- Re: [saag] Additions to RFC 3631? Eliot Lear
- Re: [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Paul Hoffman
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Joe Touch
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Yaron Sheffer
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Jeffrey Hutzelman
- Re: [saag] Additions to RFC 3631? Joe Touch
- Re: [saag] Additions to RFC 3631? Hannes Tschofenig
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] Additions to RFC 3631? Steve Crocker
- Re: [saag] Additions to RFC 3631? Tschofenig, Hannes (NSN - FI/Espoo)