Re: [TLS] TLS Impact on Network Security draft updated

[Dennis Jackson <dennis.jackson@cs.ox.ac.uk>]

On 24/07/2019 04:13, Benjamin Kaduk wrote:
> On Wed, Jul 24, 2019 at 03:35:43AM +0100, Dennis Jackson wrote:
>> On 24/07/2019 02:55, Bret Jordan wrote:
>>> As a professional organization and part of due diligence, we need to try
>>> and understand the risks and ramifications on the deployments of our
>>> solutions. This means, understanding exactly how the market uses and
>>> needs to use the solutions we create. When we remove or change some
>>> technology, we should try hard to provide a work around. If a work
>>> around is not possible, we need to cleanly document how these changes
>>> are going to impact the market so it can prepare. This is the
>>> responsible and prudent thing to do in a professional organization like
>>> the IETF. 
>>>
>>
>> The IETF is for development of Internet Standards. If you want to
>> publish your (subjective) analysis of how a particular standard is going
>> to impact your market segment, there are any number of better venues:
>> trade magazines, industry associations, your company website, etc.
> 
> Actually, the Independent stream of the RFC series is purpose-built for
> individual commentary on the consequences of a particular standard
> [including in a particular segment], and would be superior (at least in
> my opinion) to any of the venues you list.  (See RFC 4846.)  But I
> believe the current ISE asks authors to try fairly hard to publish their
> work in the IETF before accepting it to the Indepndent stream.

I was thinking of 'published by the IETF' to mean the IETF stream.
Publishing in the Independent stream, without any proper review,
consensus or claim of fitness is a different matter altogether.

>>> The draft that Nancy and others have worked on is a great start to
>>> documenting how these new solutions are going to impact organizational
>>> networks. Regardless of whether you like the use-cases or regulations
>>> that some organizations have, they are valid and our new solutions are
>>> going to impact them. 
>>
>> This isn't a question of quality. The IETF simply doesn't publish
>> documents of this nature (to my knowledge).
> 
> The IETF can publish whatever there is IETF consensus to publish.  (And
> a little bit more, besides, though that is probably not relevant to the
> current discussion.)
> 
> I don't have a great sense of what you mean by "documents of this
> nature".  If you were to say "the IETF does not publish speculative and
> subjective discussion of possible future impact", I'd be fairly likely
> to agree with you (but I have also seen a fair bit of speculation get
> published).  

This was my intended meaning.

I'd feel rather differently about "the IETF does not
> publish objective analysis of the consequences of protocol changes on
> previously deployed configurations", and would ask if you think a
> document in the latter category is impossible for the TLS 1.2->1.3
> transition.  (My understanding is that the latter category of document
> is the desired proposal, regardless of the current state of the draft in
> question.)

The authors initiated this discussion by stating their draft was stable
and requesting publication. Consequently, I think it must be judged on
the current state, rather than the desired outcome.

Even considering your more generous interpretation... the objective
discussion is only 3 out of 15 pages and none of the 5 claims appears to
be correct. (As others have pointed out).

Best,
Dennis

> -Ben
> 
>