On Fri, Jan 14, 2011 at 5:06 PM, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:
Phillip Hallam-Baker wrote:
The illusion of control is comforting to some but it is an illusion. At
the
end of the day the IETF has roughly 2000 people involved. Nobody elected
us.
We are accountable to no-one.
I assume the number of IETF contributors is more like 5000-10000.
The Internet has 2 billion users. We do not accept accountability to
those
users. We cannot even understand what their requirements might be. And
even
if we did, we may well reject them out of hand.
Everybody can get involved with the IETF and although some working groups
may have superseded rough consensus by voting these days, there are still
significant numbers of contributors involved in the IETF with non-marginal
levels of dignity about the technologies they are creating.
It is hard to imagine any structure that could provide for significantly
more than one person in a million being involved in the IETF.
We can face that fact or we can pretend that it doesn't matter and that we
can have power without accountability, I believe Rudyard Kippling's quote on
that topic was on point.
The first cost is the cost of maintaining the registry. Assigning code
points requires an administrator, it frequently requires expert review.
That incurs time and money.
You are asserting here that by _not_ using an IANA registry, but instead
relying on ASN.1 OIDs, suddenly the use of DSA with MD4 for a digital
signature obiviates expert review and becomes technically sound?
No, the proliferation of cryptographic algorithms is a bad thing in and of
itself.
In the past it was believed that having a backup algorithm was a good thing.
Then we discovered that in fact the security of a scheme is usually
determined by the least secure algorithm supported rather than the best and
that adding a backup algorithm merely created additional opportunities to
crack the system.
We should not therefore be in the business of expertly reviewing any crypto
unless we believe it to be a significant improvement on the existing
algorithms.
Your straw man case of DSA with MD4 is easy to reject. But what would be the
acceptance conditions?
From a protocol standpoint the correct response is arguably to reject every
application. But doing that is impossible as the GOST case demonstrates. If
the IETF had not assigned the code points then they would have been assigned
by the GRU.
We cannot stop people from shooting themselves in the foot and we should not
try either.
The assignment of a code point itself is a cost infinitesimal close to
zero. No matter how you look at it, at the abstract level there is
no difference between an IANA code point assignment for something
and the assignment of an ASN.1 OID or an URIs by some organization.
From a political standpoint it is totally different. Assignment of an IANA
code point is an IETF endorsement no matter how many caveats we attempt to
apply.
The cost of expert review is non zero.
With an IANA registry, the IETF can (and should) enforce free availability
of the relevant specifications plus at least availability of RAND
conditions
for the surrounding (known) IPR claims
Nonsense.
If the IETF refuses to issue code points people will issue them themselves.
That was the original observation at the start of this thread.
--
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf