On Wednesday, 17 March 2021 07:53:25 CET, Eliot Lear wrote:
On 17 Mar 2021, at 06:57, Watson Ladd <watsonbl...@gmail.com> wrote:
On Mon, Mar 15, 2021, 2:59 AM Eliot Lear
<lear=40cisco....@dmarc.ietf.org> wrote:
Architecturally, Rich is nailing it. We should be
encouraging the use of SANs. However, use of SANs beyond the
scope of the web may not be entirely ubiquitous, and so we
should either be a bit more targeted, or slow roll the other
uses with some backward compatibility language. Personally I
like the latter approach. We shouldn’t hold up deprecation
across the web due to the other uses, but we should encourage
those other uses to move off of subject.
Every discussion of depreciation I've been in in the IETF seems to go
the same way: no matter how gentle the prohibition we get complaints,
and meanwhile people don't notice what's disfavored, in part because
of the earlier requests to not forbid things making the indications of
future disfavor too soft.
The alternative view is that we shouldn’t break stuff or write
edicts we know will be ignored. AR certs are burned into
products. They’re NEVER going to change, and some code in some
contexts need to expect them. That includes, by the way, in all
likelihood, the smart meter providing your house electricity.
Not everything is apache or a browser that you can take an
auto-update and simply get away from bad code. The world is a
complex place.
it's also a place that needs to keep on moving forward as new attacks and
more powerful computers come into light every year
which nothing short of
MUST NOT seems to get across.
Why would you think that in this case? The IEEE has been
remarkably good at tracking our work, as have a great many
other organizations, but for uses you’ve never considered.
That’s why code like OpenSSL is deployed in places you’ve never
heard of. And while you’re right, we’re not the protocol
police, it’s bad when we give developers advice they simply
cannot follow because they live in the real world.
they also need to accept the reality that their use-case is a niche use
case for the whole ecosystem, so not all things will align nicely and not
all advice will be applicable to them
so maybe, we should give them a little bit of credit and assume that they
are
able to differentiate stuff that makes sense in their context from stuff
that's applicable to the web in general
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
