Salz, Rich wrote on 2022-09-29 15:06:
There are a couple of conflicting trends here. Most IETF security-related work is aimed at the public Internet, not internal enterprise. On the other hand, it makes sense to want COTS solutions and not purpose-built things.
or noncommercial off-the-shelf things. for example, open source software. that is to say, "anything".
We have direct experience with users being forcibly “downgraded” when options to do that are available which is why many participants are loathe to add things like “static RSA key exchange” or “no content encryption” to the protocols developed here.
when i explain these concerns and recount the decisions made based on them to conference audiences, the surprise is total.
As Paul alluded, you’re unlikely to find much agreement for your use-case given the perceived risks.
the requirement that i encrypt things that never leave my server or LAN means a lot of wasted heat and an inability to use names for which i lack certificates or else have certificates not signed by a global authority.
i recognize the perceived risks of not imposing those costs. i only hope others recognize the imposed costs of avoiding those risks. (which is what i also said when the ssh2 people removed the "none" enctype, fwiw.)
On the other hand, you might be able to convince your vendors to support RFC 9150 and make it a requirement in your RFP’s.
yes, that's a good way to proceed: build roads not walls. -- P Vixie
