Subject: Re: rfc2228 in ftpd
To: Perry E. Metzger <>
From: Steven M. Bellovin <>
List: tech-security
Date: 06/23/2002 23:21:10
In message <>, "Perry E. Metzger" writes:
>"Steven M. Bellovin" <> writes:
>> In message <>, "Perry E. Metzger" writes:
>> >I'm not sure I was even aware of that RFC before now. Are we sure the
>> >IETF still considers it to be a standards track document? I'd also
>> >suggest that the matter be discussed on tech-security -- tech-userlevel
>> >is not the right list...
>> It's still listed as "Proposed Standard" in the index.
>Yah, but it has never gotten past Proposed to Draft, and I'm unaware
>of implementations.  At the time it was written, the world was very
>different, and rolling (mostly) your own security transport was
>common. Now everyone Just Uses SSL. The question in my mind is, given
>the utter lack of implementations, do we want something where we've
>got a whole new protocol with potential holes, or do we Just Use SSL
>so we can piggy back on its properties?
>Steve, you're a Security AD. What's your opinion?

As I said, I have no idea if anyone else has implemented it, modulo the 
note from Ken Hornstein.

But don't read too much -- or too little -- into the fact that it's a 
Proposed Standard.  It's often been said that "the Internet runs on 
Proposed Standards" -- there are remarkably few Draft standards, let 
alone Standards.  TLS (RFC 2246) is Proposed, to give just one example.
Failure to advance could mean that no one is using it; it could also 
mean that no one has bothered with the process necessary to advance it, 
because there doesn't seem to be any point -- it's working, so why 
bother it?

The whole question of whether or not the glut of Proposed standards is 
a problem, and if so what should be done, comes up regularly in the 
IESG.  I have no particular wisdom on the subject.

		--Steve Bellovin, (me) ("Firewalls" book)