Subject: Re: rfc2228 in ftpd
To: Perry E. Metzger <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 06/23/2002 23:21:10
In message <email@example.com>, "Perry E. Metzger" writes:
>"Steven M. Bellovin" <firstname.lastname@example.org> writes:
>> In message <email@example.com>, "Perry E. Metzger" writes:
>> >I'm not sure I was even aware of that RFC before now. Are we sure the
>> >IETF still considers it to be a standards track document? I'd also
>> >suggest that the matter be discussed on tech-security -- tech-userlevel
>> >is not the right list...
>> It's still listed as "Proposed Standard" in the index.
>Yah, but it has never gotten past Proposed to Draft, and I'm unaware
>of implementations. At the time it was written, the world was very
>different, and rolling (mostly) your own security transport was
>common. Now everyone Just Uses SSL. The question in my mind is, given
>the utter lack of implementations, do we want something where we've
>got a whole new protocol with potential holes, or do we Just Use SSL
>so we can piggy back on its properties?
>Steve, you're a Security AD. What's your opinion?
As I said, I have no idea if anyone else has implemented it, modulo the
note from Ken Hornstein.
But don't read too much -- or too little -- into the fact that it's a
Proposed Standard. It's often been said that "the Internet runs on
Proposed Standards" -- there are remarkably few Draft standards, let
alone Standards. TLS (RFC 2246) is Proposed, to give just one example.
Failure to advance could mean that no one is using it; it could also
mean that no one has bothered with the process necessary to advance it,
because there doesn't seem to be any point -- it's working, so why
The whole question of whether or not the glut of Proposed standards is
a problem, and if so what should be done, comes up regularly in the
IESG. I have no particular wisdom on the subject.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)