On Wed, Jul 03, 2019 at 09:52:03PM -0400, Keith Moore wrote: > On 7/3/19 9:30 PM, Andrew Sullivan wrote: > > > > difficulties. It used to be clear that you didn't deploy implementations > > > based on Proposed Standard, but people did anyway. > > When was that "clear"? > > Probably I was thinking of RFC2026 section 4.1.1, last paragraph: > > Implementors should treat Proposed Standards as immature > specifications. It is desirable to implement them in order to gain > experience and to validate, test, and clarify the specification. > However, since the content of Proposed Standards may be changed if > problems are found or better solutions are identified,/deploying > implementations of such standards into a disruption-sensitive environment is > not recommended./ > > But of course that's not stating it as strongly as I remembered, and the > problem of deploying implementations based on Proposed Standard existed even > before that. I remember a flap about telnet implementations circa 1992 in > which implementations of a certain option didn't interoperate - one vendor > followed the PS text and all of the others implemented it in the opposite > way, and I heard a lot of people saying "they shouldn't have deployed at > Proposed". In the security area just about all major Internet protocols are at Proposed Standard. PKIX? Proposed Standard. Kerberos? Ditto. TLS? Yup. SSHv2? Indeed. IKEv2? No, IKEv2 and CMS are among the exceptions, though what good IKEv2 might do anyone w/o ESP, or CMS w/o PKIX, I don't know. Whatever the intention originally might have been, it's certainly long not been the case that one should not deploy protocols that are at Proposed Standard. And it's very difficult to stop vendors from shipping pre-RFC protocols. We don't have a protocol police, and we move too slowly. If we don't adapt, other SDOs will do more of our work. A big selling point of the IETF is its review processes -- the adults in the room to keep authors from doing dreadful things. But we need to speed up the cycle somewhat, and one way to do it might be to have a way to indicate expected stability in I-Ds, and probably only in WG work items only, and at some cost (e.g., early directorate reviews?). I don't quite know -- maybe after reflection we might conclude we shouldn't do this, but we should certainly discuss it, and be able to discuss it. Nico --
