iang at iang.org
Mon Jun 1 13:19:50 CEST 2015
Thanks to Aaron, Max and Maciej!
Yes I can see the point. What I was worried about originally is that,
as Aaron points out, it's a point in time document and therefore cannot
provide timely advice. But if it is done at a high enough level then
that I guess works out.
(This is also in my context of some work going on at IETF WGs aimed at
improving the pre-design approaches to crypto protocols. Some of us are
hoping to reduce the choice in future protocols in as many ways as we
can so the load on sysadms & users is reduced.)
On 1/06/2015 11:32 am, Aaron Zauner wrote:
> Hi Ian,
> I've waited a bit for others to state the obvious.
> ianG wrote:
>> How does their project compare to the BetterCrypto project? Can we shut
>> up shop now that the IETF is in the game? Is there a very different
>> purpose? Or are they just faffing around in committee again...
>> Does the RFC format help? I would have thought the notion of publishing
>> an RFC was strictly wrong because security is an arms race and only a
>> dynamic document process can help.
>> How did their work compare to BetterCrypto's advice? Was there anything
>> in there that we didn't know? Is there anything they didn't know?
>> Is their advice useful to ... whom? sysadms? Implementors? Designers?
>> I gave it a quick skim and it seemed to be rather ... useless to
>> sysadms for example.
> I think the RFC is an important point-in-time document regarding TLS
> security. This document won't give advise on how to configure various
> services though. It's not exactly aimed at the sysadmin. It is a BCP we
> should all follow and the similarities to bettercrypto are no
> coincidence. Others and myself have contributed to that document. I'm
> still a bit unhappy that TLS 1.0 didn't get a "MUST NOT negotiate" in
> the process. But all-in-all this is an excellent BCP. I don't think it
> makes our efforts null; these are two different objectives after all. OR
> maybe the same objective on different levels of expertise. I don't
> expect sysadmins to read BCPs (they should though).
More information about the Ach