[Ach] rfc7525

ianG iang at iang.org
Mon Jun 1 13:19:50 CEST 2015 

Thanks to Aaron, Max and Maciej!

Yes I can see the point.  What I was worried about originally is that, 
as Aaron points out, it's a point in time document and therefore cannot 
provide timely advice.  But if it is done at a high enough level then 
that I guess works out.

(This is also in my context of some work going on at IETF WGs aimed at 
improving the pre-design approaches to crypto protocols.  Some of us are 
hoping to reduce the choice in future protocols in as many ways as we 
can so the load on sysadms & users is reduced.)

iang


On 1/06/2015 11:32 am, Aaron Zauner wrote:
> Hi Ian,
>
> I've waited a bit for others to state the obvious.
>
> ianG wrote:
>>
>> How does their project compare to the BetterCrypto project?  Can we shut
>> up shop now that the IETF is in the game?  Is there a very different
>> purpose?  Or are they just faffing around in committee again...
>>
>> Does the RFC format help?  I would have thought the notion of publishing
>> an RFC was strictly wrong because security is an arms race and only a
>> dynamic document process can help.
>>
>> How did their work compare to BetterCrypto's advice?  Was there anything
>> in there that we didn't know?  Is there anything they didn't know?
>>
>> Is their advice useful to ... whom?  sysadms?  Implementors?  Designers?
>>   I gave it a quick skim and it seemed to be rather ... useless to
>> sysadms for example.
>>
>
> I think the RFC is an important point-in-time document regarding TLS
> security. This document won't give advise on how to configure various
> services though. It's not exactly aimed at the sysadmin. It is a BCP we
> should all follow and the similarities to bettercrypto are no
> coincidence. Others and myself have contributed to that document. I'm
> still a bit unhappy that TLS 1.0 didn't get a "MUST NOT negotiate" in
> the process. But all-in-all this is an excellent BCP. I don't think it
> makes our efforts null; these are two different objectives after all. OR
> maybe the same objective on different levels of expertise. I don't
> expect sysadmins to read BCPs (they should though).
>
> Aaron
>

More information about the Ach mailing list