Re: Keyed-MD5, and HTTP-NG
Perry, I personally spoke to Bill Simpson about this problem. I should have given you a phone call or email in addition to speaking to Bill. In my opinion this problem does not at all reflect on your skills or reputation. What it signifies to me is the poor state of cryptographic engineering. If anything, it points out the wisdom of the IPsec designers in requiring that key material have a limited lifetime. A wise engineering choice like this protects the system against many different kinds of attacks. Of course, the protocol implementors often omit "details" like key lifetime limits. In fact, 17 years ago when I wrote a TCP/IP stack for the Xerox Alto I left out several "details", which of course caused lots of problems when I did interoperability testing with a mainframe (Multics). --Bob ______________________________ Reply Separator _________________________________ On 11/1/95 10:20 AM, perry@piermont.com worte:
There were two names on the MD5 document -- mine and Bill Simpson's. Bill didn't tell me that he was called (I suspect he would have), and I wasn't called, either. We were the only two editors of that portion of the specification.
Given that my name was on that document and that I made a large effort to try to make sure that people examined the algorithms and thought they were good, and that I have some of my reputation tied to that document, I am rather unhappy at the fact that I only find out third hand about what people in the field have determined about our selected algorithm.
On 11/1/95 10:20 AM, perry@piermont.com worte:
There were two names on the MD5 document -- mine and Bill Simpson's. Bill didn't tell me that he was called (I suspect he would have), and I wasn't called, either. We were the only two editors of that portion of the specification.
This appears to have been a problem from both ends. A number of people arround here only heard about the IPsec work when it had reached the final call phase. There also seems to be a move towards looking at the question of how protocol and cryptography interacts as a field in it own right. I think this highlights one of the problems with the IETF we need a much broader infrastructure for understanding what progress other groups have made. The time when we can expect to do everything through email alone is past. I wish I could persuade more people in the IETF that the Web infrastructure could provide a valuable assistance as a collaboration tool for their needs. Unfortunately the approach seems to be that because there are is a person living at the end of a 2400 baud modem in vermont who cannot configure his PPP we should all continue in the stone age. We could improve readability of RFCs through using HTML and reduce the flamage on mailing lists through collaboration tools like the open meeting. But we don't because it hasn't been done that way in the past. I would like to see a collaboration system where I can present an expert with the context of a proposal very rapidly without expecting them to read the archives of an entire mailing list. Phill
hallam@w3.org writes:
This appears to have been a problem from both ends. A number of people arround here only heard about the IPsec work when it had reached the final call phase.
I can't help that. We were very loud about our efforts and I publicized them wherever I could. I mentioned drafts here on cypherpunks and elsewhere frequently. We tried to solicit the help of lots of people in the crypto community. I was begging people for help with our MD5 and other transforms for months and months. I believe that lots of people were aware of what was going on and just didn't take us seriously until the last minute.
I think this highlights one of the problems with the IETF we need a much broader infrastructure for understanding what progress other groups have made. The time when we can expect to do everything through email alone is past.
I pretty much know whats going on throughout the IETF, although I don't know all the petty details. I think that its a matter of trying to remain plugged in and following the announcements of drafts.
I wish I could persuade more people in the IETF that the Web infrastructure could provide a valuable assistance as a collaboration tool for their needs. Unfortunately the approach seems to be that because there are is a person living at the end of a 2400 baud modem in vermont who cannot configure his PPP we should all continue in the stone age.
There are lots of IETF web pages already.
We could improve readability of RFCs through using HTML
I truly dislike that idea. I hope that this never comes to pass. Text is just fine. RFCs are perfectly readable right now. The problem is more getting people to read them than legibility problems. If anything would be an improvement it would be postscript, and I oppose that even though its easy for anyone who wants to to get a postscript interpreter.
I would like to see a collaboration system where I can present an expert with the context of a proposal very rapidly without expecting them to read the archives of an entire mailing list.
I would like to see such a thing as well. I would also like to see a system which permitted perfectly just adjudicaiton of disputes without need for evidence. Unfortunately, neither is possible. Perry
On Wed, 1 Nov 1995 hallam@w3.org wrote:
email alone is past. I wish I could persuade more people in the IETF that the Web infrastructure could provide a valuable assistance
Have you tried <www.ietf.org> ? Seems to have all the relevant links, Perry's stuff included.
participants (4)
-
baldwin -
hallam@w3.org -
Perry E. Metzger -
s1113645@tesla.cc.uottawa.ca