Hi Joe,
At 09:52 30-05-2014, Joseph Salowey (jsalowey) wrote:
[Joe] Running code is certainly good, but I don't think the ed25519
paper by itself provides enough information to create an
interoperable implementation. Without this information I'm not
sure its possible to implement the draft. For example, as you
mention below the format for the key is undocumented is it well
enough understood what the format of the data to be hashed in the
fingerprint is from the draft and its references? It seems the only
documentation of the protocol is in the source code. I'm not sure
if there is a precedent for referencing a source code, but if it is
source controlled perhaps it is acceptable.
According to http://www.openssh.com/ OpenSSH is used by "companies
like NetApp, NETFLIX, EMC, Juniper, Cisco, Apple, Red Hat, and
Novell; but probably includes almost all router, switch or unix-like
operating system vendors". The source code has been under revision
control since over 10 years and it is publicly accessible. The
source code is distributed under a liberal license. I could have
argued for "Proposed Standard". I thought that it was better to go
for "Informational" to document what has been implemented as I would
have raised arguments similar to the ones quoted above is a review
about a "Proposed Standard".
There was a comment from Rene Struik during the Last Call about the
hash and the ed25519 paper (
http://www.ietf.org/mail-archive/web/ietf/current/msg87894.html ). I
think that he understood how it works. The well understood test
happens after publication as it depends on the unknown reader.
There is a precedent for referencing source code. In my opinion it
is better not to do that unless it is really necessary. I prefer not
to use the precedent argument.
I'll note that this draft does not break anything on the internet.
Please let me know whether the above addresses the issues in the review.
Regards,
S. Moonesamy