Re: Withdrawing sponsorship of draft-housley-tls-authz-extns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There is one thing that needs to be highlighted at this point. John's message come close to saying it, but it falls short.

There are at least two implementations of this TLS authorization extension. These implementations use the code point that was assigned by IANA while this document was in the RFC Editor queue. It is clear to me that this protocol can be used in ways that do not run into problems with the RedPhone Security IPR. I am not a patent lawyer, so you need to make your own assessment of this situation. If others come to the same conclusion, the existing implementations may find deployment. As a result of my analysis, I do not believe that we should hamper this deployment. Failing to use the code point previously assigned by IANA would force these implementations to make changes.

Russ

At 11:11 AM 6/12/2007, John C Klensin wrote:


--On Tuesday, June 12, 2007 07:11 -0700 Dave Crocker <dhc2@xxxxxxxxxxxx> wrote:

To obtain "IETF approval", there needs to be a sponsoring AD.
Sam explained why he feels he cannot fill that role any
longer.  Whether some other AD feels can can serve in his
stead is their individual decision.  We do not have any rules
that compel an AD to sponsor a submission.  Indeed, being able
to obtain a willing sponsor is considered part of the IETF
vetting process.

Nothing prevents the document from being submitted directly to
the RFC Editor, for publication as a non-IETF document.

That is the avenue I would prefer, but it raises another issue (which I think would fall into the category Eliot referred to as <a corner in the process>). As Sam points out, the actual use of this as a protocol requires IANA registration of parameters and current procedures for TLS extensions and many other things require IETF consensus for such registrations and hence for publication of any document that specifies, or requests IANA registration of, such parameters.

There may be things that make this particular case special, but, for the general case, I have gradually come to think that model is broken. The problem is that the IETF cannot _prevent_ someone from making up a parameter and using it, registered or not, nor can we punish someone who does so. So, by preventing registration, we do little but increase the odds that one unregistered and unapproved extension will use the same parameter keywords as another, causing interoperability problems. Preventing publication and registration does not necessarily reduce the odds that the extension will be used; it merely reduces the odds that a system encountering that extension will be able to properly identify it and easily determine what it is attempting to do.

Consequently, I believe that many of the <IETF Consensus required> registration requirements should be changed to permit an alternate lower threshold of:

        (1) There has been IETF review and discussion, but the
        IETF did not conclude that the idea was wise, or even
        perhaps concluded that it was a bad idea.  Note that
        this is very different from "not reviewed in the
        IETF".

        (2) There is a reasonable basis for concluding that the
        protocol has been, or is likely to be, deployed.

For that class of situation, I now believe that it should be possible to make an independent submission and, if the RFC Editor judges that the document is of adequate interest and technical and editorial quality, be published and the registrations made. Of course, the document should, at that stage, be very clear that it is not an IETF-approved protocol and should ideally explain the reasons why the IETF did not approve it. Similarly, the registration should be made in the interest of interoperability but both the "IANA Considerations" section of the document and the registration itself should clearly indicate that the registration is to prevent interoperability problems only and does not imply approval or endorsement.

Our pretending that a protocol extension will simply go away because we don't like it --or because we can't agree that we do like it-- does not make the Internet work better.

     john


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf



_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]