On 2/18/15 11:02 PM, Richard Barnes wrote:
We will discuss this on the call tomorrow. Stephen and Kathleen
and I are working on (well, really, Stephen produced a first draft
a month ago and I dawdled on my edit, but I hope we are close to
getting out the door) a statement to the community regarding
discussions of OS considerations. There are a load of reasons that
in an OS (and potentially other unauthenticated) context you would
violate some of the recommendations in this document.
I look forward to your documentation of which recommendations and
which reasons.
That is a topic for another chartered item that the WG is to take on:
http://www.ietf.org/mail-archive/web/uta/current/msg00649.html
I think it would be disastrous to hold up this document (which has
plenty of good recommendations for non-OS normal uses of TLS) in order
to explain how this document applies (and does not apply) to OS uses.
Which is why I think this document should say, "Not addressed here."
As our note will say, it is incredibly hard (I would say near
impossible) to reasonably convey what the "right" approach is when
talking about OS.
I will object strenuously to anything that suggests that continuing to
use broken algorithms or protocols is any sense a "right" approach.
Fortunately, Peter's note implies that this is not what the WG intended.
There are OS scenarios in which the use of a known weak algorithm is
perfectly appropriate. This document should not say anything that would
indicate otherwise.
Until we are able to get better community consensus on this topic
and how to explain it in documents, I think (and I believe the WG
agrees) that the right thing to say is, "This document isn't
talking about OS" and leave it at that, which is what the document
now says.
It's wrong to just throw up our hands and give carte blanche just
because we might need to red-line a few things.
I have no idea what you mean by "give carte blanche" here. We don't
write conformance standards. We know and have consensus on what this
document recommends in non-OS contexts. We don't have consensus on what
should be recommended in OS contexts. This document should not attempt
to pre-determine what a followup document will say.
At most, we should say something like, "OS is a work in progress;
until further notice, use this as a baseline and deviate to the
minimal extent possible."
That is significantly worse, in my view, than saying, "We're not talking
about OS here."
More tomorrow.
pr
--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
