ietf
[Top] [All Lists]

Re: draft-dukhovni-opportunistic-security-04

2014-09-01 17:48:36
On Wed, Aug 27, 2014 at 01:40:13PM -0400, Michael Richardson wrote:
Paul Wouters <paul(_at_)nohats(_dot_)ca> wrote:
    >> Subject: draft-dukhovni-opportunistic-security-04

    > ExecSum: The document sits between a "generic advise" and "specific
    > protocol recommendations" and accomplishes neither. The definition
    > is unclear and the used language makes this document hard to read,
    > especially for non-native English speakers.

I agree, good summary of the problems.

Thanks for putting that point so clearly.

I've been giving this some thought.  Here's my answer to this.

Channel binding (CB) offers some interesting parallels.

We published RFC5056 defining CB as a Proposed Standard, even though
it's not a protocol: like OS it's just a design pattern.  OS, meanwhile,
is aiming for Informational status.

I believe the above question translates as: how can we justify such a
difference?  Shouldn't OS be a Proposed Standard?

CB was an old, obscure, and ill-defined concept when I wrote RFC5056.
OS too isn't entirely a new concept.  This makes CB and OS similar in
this sense: they are both "new" concepts.

That's where the similarities stop.

CB has critical semantics: it could only have been published as a
Standards-Track RFC!

OS is more nebulous: because it applies where systems would have been
willing to use cleartext instead.  We should give guidance to future
protocol designers, but we don't need to give them normative language
exactingly defining OS' semantics -- partly because we can't (see
below).

I decided to hold my nose: it's only going to be succesful in the
first case, but the author seems bent on doing the second.

I would agree 100% with this if I thought Viktor was trying to offer
normative language in an informational vehicle.  I don't think he is.

All specific details discussed in his draft are about an example
protocol (SMTP) where OS has been implemented already.

We've discussed HTTP a bit on these lists and... applying OS there is
not quite as easy as in SMTP, and will require more discussion.  Thus
making it obvious that it is too soon to develop a normative definition
of OS.

For me OS is just a short-hand for a set of principles.  CB is a
short-hand for a set of requirements; OS is not.  Therefore I think OS
should be Informational.

Now, is it worth publishing OS as Informational?  IMO, yes, but if every
FYI will be this difficult to get through going forward, then IMO we
might as well stop publishing FYIs.

Nico
-- 

<Prev in Thread] Current Thread [Next in Thread>
  • Re: draft-dukhovni-opportunistic-security-04, Nico Williams <=