IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Core draft last call update.



On Sat, Mar 09, 2002 at 10:26:50AM -0500, Bill Sommerfeld wrote:
> Remember that a certain set of folks will use telnet instead simply
> because there's an RFC for telnet and there isn't one for SSH.

Who are these people who puts that much more value on the availability of
an RFC than on security? I'm not sure we should be so concerned with them.

As the working group charter states, this working group is supposed to
assure that the SSH protocol provides strong security against
cryptanalysis and protocol attacks. I think it does nothing to inspire
confidence in potential users of the SSH protocol to have a security fix
come out immediately after the core RFCs are published. To me, being able
to claim that the set of core RFCs is free from known protocol weaknesses
is much more valuable than having the RFCs published a few weeks earlier.

Given that the problem was found in time, and that the fix is simple (I've
already provided the suggested language), why not just agree to fix it
now? I'm new to the IETF standardization process, but how much time could
it possibly take to put in the fix? If CTR mode is too controversial
(although I don't know why it would be and still haven't seen a
substantial argument against it) I would be willing to compromise by using
OFB or CFB mode instead. 



Home | Main Index | Thread Index | Old Index