Re: [saag] RE: No need for SHA-2 Packet Authentication - Open Let ter to the WG a nd Area Directors

[RJ Atkinson <rja@extremenetworks.com>]

On Tuesday, July 23, 2002, at 03:32 , Hallam-Baker, Phillip wrote:
> 1. DoD may not be bound by NIST rules but AES/SHA-256 is a NIST 
> standard.
> 	Ergo if DoD takes it into its head to demand a NIST standard it
> likely does so because it regards NISt to be authoritative.

	Disagree.  Any operator/user that requests something from its 
vendors or
from IETF likely does so because they think it is a good idea for their
situation.  Clearly your mileage varies from mine on this aspect.

> 2. IETF rules may state that working group members speak for themselves.
> 	However that does not mean that a working group should take a work
> item on the assertion by J. Random Bozo that the USG demands it when we 
> can
> ask the organization that USG appointed to make such assertions.

	Being on the SAAG list only, I haven't seen anyone suggest that
any WG *standardise* anything.  No doubt I've missed some context here
by not being on the IPsec WG list.

RECAP:
	This thread was started on the SAAG list by someone suggesting *not 
standardising*
something and further apparently (since clarified) trying to prevent 
that something
from even being published.  I responded saying that preventing 
publication was
nearly always a bad idea and that market requirements tend to have a 
life of their own
(largely independent of what standards bodies might proclaim from on 
high) --
with an example scenario.  It appears that some folks (e.g. Phillip) 
misconstrued
providing that example as a request for standardisation, which is 
unfortunate.

SUMMARY:
	To be clear, and repetitive with my earlier note, I don't care one 
iota what does
or doesn't get standardised for algorithms in IPsec.  I'm totally 
indifferent to that
dimension.  I care a lot that people are allowed to publish reasonable 
documents as
non-standard RFCs if IETF chooses not to standardise them.  I also noted 
that RFC Editor
has the power to make that decision to publish Informational or 
Experimental RFCs.

> 3. USG policy (including DoD) is currently to use COTS wherever 
> possible.
> 	If USG departments are having to specify non-standard extensions to
> COTS software and NIST has failed to even inform the standards body that
> they have a requirement then NIST is not doing its job.

	Or IETF hasn't done its job to listen to operators/users to get the
right feature set into the standards.   If the latter, no doubt that 
will be
the first time that has happened in IETF in recent years.  Any number
of other things are also possibly happening in this situation.

	Since IETF does NOT have organisational members and IAB has no liaison
established with NIST, it isn't obvious to me how "NIST" can officially 
communicate
anything with IETF.  So I don't see how criticising NIST (or folks who 
happen
to work there) is either appropriate or helpful.

	I'll be putting future notes from Phillip on this thread into 
/dev/null,
so he can have the last word and the SAAG list can resume its normal 
happy
silence. :-)

Cheers,

Ran
rja@extremenetworks.com