Re: des-cbc cipher

To: sommerfeld%east.sun.com@localhost
Subject: Re: des-cbc cipher
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: 03 Dec 2001 22:03:47 +0100

Bill Sommerfeld <sommerfeld%east.sun.com@localhost> writes:

> Before that text was added to the draft, the use of non-@-qualified
> names was designated as "assigned by IANA"; this turns out to have
> very little meaning -- as IANA requires guidance from the IETF in how
> to do these assignments, and no such registry exists (and it won't
> exist until our documents get to the IESG).  So it strikes me as
> unnecessarily restrictive to attempt to exert retroactive control
> here.

I don't want to object to your proposed resolution for this issue, but
I want to point out that even if the IANA considerations section of
older drafts was quite vague, I think the algorithm naming section
makes it pretty clear. My reading of that is all valid names are
defined either

* directly in in the spec (these names will turn up in the initial
  IANA approved list whenever the IANA registration process is
  opened), or

* by IANA registration (and this set of names have so far always been
  empty as no registration process have ever been started), or

* by using the @-form.

>From draft-ietf-secsh-architecture-02.txt, section 5 (the oldest
architecture draft I have around):

: There are two formats for algorithm names:
: 
: o  Names that do not contain an at-sign (@) are reserved to be assigned
:    by IANA (Internet Assigned Numbers Authority).  Examples include
:    `3des-cbc', `sha-1', `hmac-sha1', and `zlib' (the quotes are not part
:    of the name).  Additional names of this format may be registered with
:    IANA; see Section ``IANA Considerations''.  Names of this format MUST
:    NOT be used without first registering with IANA.  Registered names
:    MUST NOT contain an at-sign (@) or a comma (,).
: 
: o  Anyone can define additional algorithms by using names in the format
:    name@domainname, e.g. "ourcipher-cbc%ssh.fi@localhost". The format of the part
:    preceding the at sign is not specified; it MUST consist of US-ASCII
:    characters except at-sign and comma. The part following the at-sign
:    MUST be a valid fully qualified internet domain name [RFC-1034]
:    controlled by the person or organization defining the name. It is up
:    to each domain how it manages its local namespace.

If anyone can explain how to read that as allowing the unregistered
name `des-cbc', please mail me privately, I hope we need not discuss
that anymore on this list.

Regards,
/Niels

References:
- Re: des-cbc cipher
  - From: Bill Sommerfeld

Prev by Date: denyusers & ssh
Next by Date: Re: denyusers & ssh
Previous by Thread: Re: des-cbc cipher
Next by Thread: Re: des-cbc cipher
Indexes:

Home | Main Index | Thread Index | Old Index