--On Wednesday, 06 September, 2006 13:35 +0200 Frank Ellermann
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> wrote:
Brian E Carpenter wrote:
3464 is already DS according to the RFC Index.
Good, the process works, unlike my memory: I meant 3834,
a few days ago I wrote 3864 instead of 3834 on another
list, so that's the third attempt: 3834.
[interoperability report]
if {all mandatory and optional features shown to
interoperate}
then {send a request to reclassify RFC 2195 to the IESG}
So far it sounds simple (for the 2195 example). I test it,
thanks for info.
Actually, that topic opens up one of the fundamental issues with
our standards process ... one where better definition and clear
community consensus is, IMO, needed. Measured by our documented
criteria, 2195 exists in multiple independent implementations,
has been widely deployed, and is considered useful by many of
those who are using it. Current thinking in the security area
is that it isn't much better than the use of clear-text
passwords, but our formal definitions of the requirements for
Draft Standard don't require that we recommend the use of the
protocol involved: "Draft" and "Not Recommended" are perfectly
consistent.
It would also be completely consistent with our published
policies to require that a Draft Standard offspring of 2195
contain explicit text in the Security Considerations section
that describes the attack, recommends that the technique of 2195
be used only over an encrypted tunnel or on a protected network,
reflects on whether it offers any real advantage over plain text
passwords in those situations, and recommends something else.
It is not consistent with our published policies as I read them
to refuse to promote it to Draft simply because there is general
feeling that security technology has passed it by. But that is,
I think, exactly what would happen today if the protocol were
proposed for advancement.
john
p.s. While I'm the first-listed author of 2195, I don't hold any
particular affection for it. It was written because it seemed
to be necessary at the time and I could pull a group together to
do the work. The comments above are hence independent of any
personal interest in keeping 2195 alive -- I have none.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf