IETF Logo Mail Archive

[saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt

Simon Josefsson <simon@josefsson.org> Thu, 28 November 2024 09:06 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 108C5C14F70A; Thu, 28 Nov 2024 01:06:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="NHcrYBd9"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="k6vQMwiy"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2HHnNVQKCRe; Thu, 28 Nov 2024 01:06:20 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC43EC180B7E; Thu, 28 Nov 2024 01:06:18 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=pAgRP9l0fji3NvDRRsG+c1x49v+ieSKZx9mKE4IDFxw=; t=1732784770; x=1733994370; b=NHcrYBd9Nggp+ypZSD/YVAsvku43kDxy1gvQmCPXOZ1hJgeW4c5U0bA+AwZVIf7ud0/wzJgcSnw zg0evOouiCA==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=pAgRP9l0fji3NvDRRsG+c1x49v+ieSKZx9mKE4IDFxw=; t=1732784770; x=1733994370; b=k6vQMwiyYeuacWsoWpgp0ZLbxBF4rFYFakarucl3MwswaBu1VRY6B+TVW+4pkQovKgmar8EcVK9 rual0f+yBGffNwKYNv1omvCNYlVDm6vAwT4sJUcu3yeVjWHSHE7hFnnty35NWdM8sg4Hgf5xVlUdX W4L2YDCiLZRqVKg1Eu9ZrqDrdMw9j6+zGUevutbzzWPwcXnzlGYM60fSR3SC4uj4dRDHCd/OU1MRF klPmtJb/fKMYTYX9/9SDmUOV7G3LQQvaSP8qhT641OG0A6kSOd5k6/EA0V2tvhAwkyEE3g2GbKNUA t/VANP5xxIGOLy9Cdo4HqPTf8BhuHL9VF0eEWhNlVh75qTCa5KEjSk891afvNHgVhGDoGfvHZAyDY I1lnns3TvjZhGysBwNMB8rU67w2yuDJGu5aD9cw1JgtMVLcnuwQWPlqclx3NEI/gBi8Cp1Zxb;
Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:54882 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1tGaTI-005t3z-Vt; Thu, 28 Nov 2024 09:06:01 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <BE95E617-C929-43BA-BB40-41E189A8158B@akamai.com> <87ldxl5zp9.fsf@kaka.sjd.se> <26424.40383.605711.370013@fireball.acr.fi> <71bcb4f8-e147-a6cb-3c67-b6daef61f309@mindrot.org> <26439.33533.129915.244853@fireball.acr.fi> <SY8P300MB0711C796AB6095C788556516EE292@SY8P300MB0711.AUSP300.PROD.OUTLOOK.COM>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:241128:simon=40josefsson.org@dmarc.ietf.org::EETzzFhRDl630djg:0X8+
X-Hashcash: 1:23:241128:djm@mindrot.org::g7+m69GkAfxRlxWK:0MZA
X-Hashcash: 1:23:241128:rsalz=40akamai.com@dmarc.ietf.org::j6htRLc8ThViGIGo:2rpR
X-Hashcash: 1:23:241128:kivinen@iki.fi::IQefGv7K6sU6x6bO:L397
X-Hashcash: 1:23:241128:pgut001@cs.auckland.ac.nz::jTP7f6EftGq01RGi:Fgj5
X-Hashcash: 1:23:241128:saag@ietf.org::9xQVLkk2/oJQqKAl:01w3W
Date: Thu, 28 Nov 2024 10:06:11 +0100
In-Reply-To: <SY8P300MB0711C796AB6095C788556516EE292@SY8P300MB0711.AUSP300.PROD.OUTLOOK.COM> (Peter Gutmann's message of "Thu, 28 Nov 2024 01:00:51 +0000")
Message-ID: <87zfljybgc.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID-Hash: FFBQQJ6FSNUGRWQZCHXYCYYKFNVYRKBY
X-Message-ID-Hash: FFBQQJ6FSNUGRWQZCHXYCYYKFNVYRKBY
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tero Kivinen <kivinen@iki.fi>, Damien Miller <djm@mindrot.org>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "saag@ietf.org" <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ulh30ObjxC6Pv35P4LFbORlX6SY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> Tero Kivinen <kivinen@iki.fi> writes:
>
>>When someone (like openssh) creates a new thing with foo@openssh.org, they
>>should include the documentation of that either on their web page, or inside
>>the source distribution etc. Not everything needs to be an RFC, and most of
>>those things that are defined that way are quite simple to document.
>
> Ahh, no, this leads to the current mess where one of the OpenSSH folks invents
> something, posts it (without any public review) to the bottom of a locked
> filing cabinet stuck in a disused lavatory with a sign on the door saying 
> "Beware of the Leopard", it gets added to the de-facto standard SSH
> implementation that everyone has to be compatible with leading to a scramble
> to find out where it's specified and how you're supposed to implement it, and
> then a later scramble to patch it when the security vulns from the lack of
> public review are discovered.
>
> Looking at it from the other side of the fence, given the incredibly laborious
> and painful process of getting anything through the IETF (ISO standards are
> often considerably quicker and easier to do than IETF, and that includes the
> time for translation into French) I have some sympathy for the folks who
> choose to do it this way even if I don't really agree with what they're doing.

I share that sympathy.  We can help them by making the IETF a welcoming
place to get documents reviewed, improved and published.

I believe the IETF share the responsibility for things ending up in the
way you describe.

While it is easy to cast the blame on OpenSSH folks for doing the
actions, I believe the primary place to improve the outcome is in the
IETF.  It's not OpenSSH that should change, it's the IETF.

If the IETF had been a more attractive place to come to and get things
done, doing so happens naturally and automatically.

Unfortunately, I see diminishing interest in acknowleding or improving
this state.  Instead there appears to be strong interest in using the
powers to 1) delay, defer and stop publications (ssh-ntruprime, peap,
anything non-nist) and 2) publish specifications that are incompatible
with deployments which damages ecosystems (pgp), and 3) favor protocols
that lead to weaker system security due to complexity (ipsec, x509).

/Simon

v2.29.0 | Report a Bug | By Email | System Status