> On 19 Mar 2021, at 12:20, Hubert Kario <hka...@redhat.com> wrote: > > it's also a place that needs to keep on moving forward as new attacks and > more powerful computers come into light every year
Sure. That’s why I support the draft. > >>> which nothing short of >>> MUST NOT seems to get across. >> >> Why would you think that in this case? The IEEE has been remarkably good at >> tracking our work, as have a great many other organizations, but for uses >> you’ve never considered. That’s why code like OpenSSL is deployed in places >> you’ve never heard of. And while you’re right, we’re not the protocol >> police, it’s bad when we give developers advice they simply cannot follow >> because they live in the real world. > > they also need to accept the reality that their use-case is a niche use > case for the whole ecosystem, so not all things will align nicely and not > all advice will be applicable to them Is it? There are hundreds of millions of devices that cover this use case, and that number is accelerating. > > so maybe, we should give them a little bit of credit and assume that they are > able to differentiate stuff that makes sense in their context from stuff > that's applicable to the web in general And herein lies the problem: either this document is intended for the “web” or it is intended to be general. The two are not the same. I like scoping this document broadly, though, to mark what is currently a best practice. And THEN you can give those people credit for doing the right thing, because they largely have in the past. To be clear: this is a bit of a juggernaut. The idea that a device identity survives through the entire lifetime of a device very much depends on what that lifetime is. Toys and IT equipment have 3-5 year lifetimes. Some sensors have six week lifetimes. Some stuff in the ground has 40-50 year lifetimes, and some mechanical tools like presses have 120 year lifetimes. So sure. 802.1AR is going to need to evolve around these concepts. But let’s please just recognize the reality we face, that the currently deployed systems are going to be around for quite a while, they will continue to verify as they do, and their certs won’t change, at least for onboarding purposes. Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
