On Tue, 18 Dec 2018, Yoav Nir wrote:
When I described the various SHOULD, MAY, MUST and their variants, I was
not suggesting of putting that into the IANA registry. The IANA registry
should only get "deprecated" or "obsolete". In my view (and I think the
RFCs view) deprecrated means "issues found, stop using it" and
"obsolete" means "meh, not harmful but no one else is using it anymore”.
I think it’s best to copy what TLS is doing and just add a “Recommended” column
with a y/n value to all the algorithm lists.
A prudent administrator enables the algorithms marked “Recommended” and none of
the others.
An administrator that enables other algorithms will have to explain why he or
she did that when things go wrong.
TLS did write a document to change the IANA registries like that.
Recommended to implement or recommended for use ?
For instance, it is recommended to implement MODP 1536, but not recommended
to use it. The same is probably true for 3DES?
And what about AES_CTR? It's really a MAY so it is not recommended and
not not recommended.
It's confusing. deprecates/obsolete seems better. It's a negative term
applying to both implementation and using.
Browsers have too much power, so they can stomp on TLS servers. With
IPsec we don't have that much power.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
