Re: Updating the rules?

On 7/7/07, Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu> wrote:


> Also from the draft:
> "At least for the strong security requirement of BCP 61 [RFC3365], the
> Security Area, with the support of the IESG, has insisted that all
> specifications include at least one mandatory-to-implement strong
> security mechanism to guarantee universal interoperability."
>
> I do not think this is a factual statement, at least when it comes to
> HTTP, which is where my interest lies.
note that it is not necessary to have at least one
mandatory-to-implement strong security mechanism to guarantee
interoperability.


This response sounds suspiciously similar to responses from defenders
of technology and procedures that don't work. That is, the response
assumes that the questioner doesn't understand the finer points of the
system. I'm sure there are details and strategies I don't know about,
but the point about shifting implementation burden is usually one of
the first qualifiers to get dragged out in these arguments. Amusingly,
it sounds pretty pointless in the context of the qualifier that
usually follows: "mandatory-to-implement does not mean
mandatory-to-deploy". This distinction might make sense when
classifying routers and things, but there's no way to tell the
difference for application protocols.

I'm interested in MTI success stories in application protocols.
Anything related to HTTP is right out, because that stuff doesn't
work. Peter mentioned a small success in XMPP, where implementors were
convinced to allow switching from SSL to TLS.

I'm also interested in the reasoning behind the IESG's decision to
allow Atompub to avoid requiring a specific TLS version. That
certainly allows for incompatible conformant implementations. I don't
understand why WGs are not permitted to make similar judgments
regarding other security mechanisms--they usually know more about
their market than the IESG does.

--

Robert Sayre

"I would have written a shorter letter, but I did not have the time."

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread]	Current Thread	[Next in Thread>
Re: PKI is weakly secure (was Re: Updating the rules?), (continued) Re: PKI is weakly secure (was Re: Updating the rules?), Keith Moore Re: PKI is weakly secure, Sam Hartman Re: PKI is weakly secure, Masataka Ohta Re: PKI is weakly secure, Stephen Kent Re: PKI is weakly secure, Peter Saint-Andre RE: PKI is weakly secure, Hallam-Baker, Phillip Re: PKI is weakly secure, Masataka Ohta Re: PKI is weakly secure (was Re: Updating the rules?), Jun-ichiro itojun Hagino Re: PKI is weakly secure (was Re: Updating the rules?), Stephen Kent Re: Updating the rules?, Sam Hartman Re: Updating the rules?, Robert Sayre <= RE: Updating the rules?, Hallam-Baker, Phillip Re: Updating the rules?, Russ Housley RE: Updating the rules?, Hallam-Baker, Phillip Re: Updating the rules?, Keith Moore Re: Updating the rules?, Russ Housley Message not available Re: Updating the rules?, Julian Reschke Re: Updating the rules?, Russ Housley Message not available Re: Updating the rules?, Julian Reschke Re: Updating the rules?, Russ Housley Re: Updating the rules?, Michael Thomas