Re: Revised Last Call: 'SSH Transport Layer Encryption Modes' to Proposed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 25 Aug 2005, Bill Sommerfeld wrote:
[normative specification is in the RFC series, vs. somewhere else and just copied or described in an info/exp RFC]
At least to me, these two categories should be treated differently.

Can you explain why?

Cryptographic algorithms are, in general, hard to use correctly.
Security review of cryptographic protocols involves an assessment of
whether the specific algorithms used actually meet the requirements of
that protocol.

If the normative specification is done in the RFC series, I would expect that the specification should undergo adequate review.

Informational/Experimental do not include wider IETF review (though whether the IETF can really review these specifications is a good question in any case), and to a degree, not necessarily even IESG review.

The reason for "downref" rules is to prevent depending on lower stability/quality specifications. The metric is very coarse. There are probably good Informational/Experimental documents out there. On the other hand, referencing the works of other SDOs normatively is fine -- thus getting back to the point "is the normative specification in the RFC series or somewhere else?". The "other SDO Specification" allows value judgment on the quality of the normative specification (e.g., a simple web page might or might no qualify).


--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]