IETF Logo Mail Archive

[saag] Re: FW: New Version Notification for draft-rsalz-crypto-registries-00.txt

Simon Josefsson <simon@josefsson.org> Thu, 14 November 2024 08:17 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F0AC1D4CCC; Thu, 14 Nov 2024 00:17:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="L/rt0PNu"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="AlKXOCO6"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ny7uUwJgMueM; Thu, 14 Nov 2024 00:17:20 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B01EC1D4CC1; Thu, 14 Nov 2024 00:17:18 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=3/u+SMo+lqSRRPzAEA8QrWeOcP3Vr5gT4pJIgmdS54o=; t=1731572235; x=1732781835; b=L/rt0PNudyCK3sr5cB60em3OaJFCDwwW3AY0wO0/g1TeqZQA6sHIcEKOqhvrorrWhK4GdLvET6R AGYNzlZ9CDQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=3/u+SMo+lqSRRPzAEA8QrWeOcP3Vr5gT4pJIgmdS54o=; t=1731572235; x=1732781835; b=AlKXOCO64nQcGkA6GHS0oSCWAiRvYAa1e5SYx0wTmWgI2iGsp/oHUJUY+5j5qbsq6iC0G++eG1i FBfseaLUIDOWwgF5HcTcKFCSmNK06gOWGXf/ksLV7WKmz3+/Z4KHvNYwE+0bp94VrX6hKt8MaIBwP BcZKZA/0oICtAUEgmU9hnewoNM1RQ5QAorgy4piy+gI6mbw/OfoC1P7Z32wTyBfhdM/OrlFsP2I3F 4aywANEdKl7Z9ux2/gk8MqxXS25uXI78qr+oXu/dznvCLiWMWg7O5y8SFim4C/CXYrDdADMBHyw31 x7MUvy4+RL0N47nhe7HCsek0DrEhRKJ+67gwNWv00H2u2WqiWN2aQi01cbUsAfKyflPFcSKSyWzXP bN8pvuYolnPxqqTKSsWeSdL/u9tRlLE80cFdS9dIkXvqZdgNf0YXxmTS198SRY9fDBso25vcC;
Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:40332 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1tBV2Q-00G16U-1u; Thu, 14 Nov 2024 08:17:14 +0000
From: Simon Josefsson <simon@josefsson.org>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
References: <173152202848.979082.15707159705781320292@dt-datatracker-5f77bcf4bd-4q5pd> <259BE404-3386-49B2-8976-9FBEBF958AB7@akamai.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:241114:rsalz=40akamai.com@dmarc.ietf.org::iNQVdKhnB4xOYkLZ:4PZu
X-Hashcash: 1:23:241114:saag@ietf.org::KCpQKORoB7fjWX+Y:5nKN
Date: Thu, 14 Nov 2024 09:17:27 +0100
In-Reply-To: <259BE404-3386-49B2-8976-9FBEBF958AB7@akamai.com> (Rich Salz's message of "Wed, 13 Nov 2024 18:26:07 +0000")
Message-ID: <87zfm25iw8.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID-Hash: ILMJPKA3QKJBD5R5FM5FD54LCNQ7VNVY
X-Message-ID-Hash: ILMJPKA3QKJBD5R5FM5FD54LCNQ7VNVY
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: saag <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: FW: New Version Notification for draft-rsalz-crypto-registries-00.txt
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/wJIqmm6_XtMOLibe7vOe77ld-JM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

Hi Rich.  Generally I disagree with the fundamental recommendation:

> This document provides recommendations for how IETF Working Groups
> should create IANA registries that are related to cryptographic
> algorithms. It is based on the lessons learned from the TLS registries
> over the years as described in [RFC8447] and
> [I-D.draft-ietf-tls-rfc8447bis].
> ...
> Each registry SHOULD be "Specification Required," as defined in
> [RFC8126], Section 4.6.

While this may be appropriate for TLS, and may be appropriate for some
other registries, I don't think this is a good universal rule.

Re-reading RFC 8126, I believe it already sets out a good balance
between the different models already, and I encourage people to read the
entire guidance:

https://www.rfc-editor.org/rfc/rfc8126#section-4

SASL mechanisms are registered on a first-come-first-serve basis and
this has worked well historically.
https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Kerberos uses a mix of methods for registration too.
https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml

What problem are you trying to solve with this document?
Could we start with a problem statement?

To me, it seems like an attempt to generalize a policy that risk
increasing the downward angle of the slipper slope towards rejecting all
crypto that isn't controlled by NIST.

Quoting section 3:

> A key requirement is that the specification of the semantics must be
> "permanent and readily available" as described in [RFC8126], Section
> 4.6. The defining document should make explicit if Internet-Draft
> documents qualify, as Section 4.6 does not say.

I don't think I-D's are appropriate to use as reference material in the
Specification Required context.  The current IETF I-D boilerplate says:

> Internet-Drafts are draft documents valid for a maximum of six months
> and may be updated, replaced, or obsoleted by other documents at any
> time. It is inappropriate to use Internet-Drafts as reference material
> or to cite them other than as "work in progress."

RFC 8126 suggests that the ideal example of Specification Required is an
RFC but instead of saying 'RFC Required' it says 'Specification
Required' to cover things outside of the RFC path.  I-D's is on the RFC
path.  Thus, I don't think RFC 8126 "Specification Required" was
intended to include I-D's originally.  Quoting section 4.6:

> The intention behind "permanent and readily available" is that a
> document can reasonably be expected to be findable and retrievable
> long after IANA assignment of the requested value.  Publication of an
> RFC is an ideal means of achieving this requirement, but
> Specification Required is intended to also cover the case of a
> document published outside of the RFC path, including informal
> documentation.

Another comment on your text:

> DE Instructions
>
>   Unless the WG chairs indicate otherwise via email, the Designated
>   Experts should decline code point registrations for documents which
>   have already been adopted or are being proposed for adoption by IETF
>   working groups or IRTF research groups.

I suggest changing 'or are being proposed for adoption into 'or are
being proposed by the document authors for adoption into' to avoid
external people fillibustering the registration process of a document by
proposing it for adoption by some random WG's.  Proposing other's work
as WG documents is a pattern that have been followed for several
protocols that people dislike and seamingly wish to delay.

/Simon

v2.29.0 | Report a Bug | By Email | System Status