RFC draft expired

Question

RFC draft expired

xorhash opened this issue 5 years ago · comments

https://tools.ietf.org/html/draft-paragon-paseto-rfc-00 notes: “Expires: October 21, 2018” No new draft seems to have been submitted yet. This may need updating.

Shrivatsa Upadhye · Answer 1 · Fri Jan 10 2020 07:01:59 GMT+0800 (China Standard Time)

Was this converted to a standard ? I can find only the draft submission.

P.I.E. Security Team · Answer 2 · Fri Jan 10 2020 07:08:00 GMT+0800 (China Standard Time)

No, it depends on the XChaCha draft first.

Shrivatsa Upadhye · Answer 3 · Fri Jan 10 2020 07:17:13 GMT+0800 (China Standard Time)

Thanks for the quick response. I noticed that the draft for that is expiring this month (JAN 2020). Will it be extended? The reason I am asking is I would like to implement this within my application but wanted to see a roadmap of PASETO becoming a standard :)

P.I.E. Security Team · Answer 4 · Fri Jan 10 2020 07:19:00 GMT+0800 (China Standard Time)

XChaCha was supposed to be reviewed for standardization in 2019. We'll bug the CFRG to get this in motion as soon as we can for 2020.

Once XChaCha is an Internet standard, we'll review some of the feedback we've received from the cryptography community, amend the RFC draft, and then issue a follow-up PASETO draft.

Shrivatsa Upadhye · Answer 5 · Fri Jan 10 2020 07:22:07 GMT+0800 (China Standard Time)

Thanks for the update. This helps.

François Kooman · Answer 6 · Fri Jan 10 2020 07:25:00 GMT+0800 (China Standard Time)

XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305

P.I.E. Security Team · Answer 7 · Fri Jan 10 2020 07:53:30 GMT+0800 (China Standard Time)

Now it's at https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-02

CFRG thread: https://mailarchive.ietf.org/arch/msg/cfrg/coaC68uPo1nD_3rrjSh8UzHTevM

xorhash · Answer 8 · Fri Jan 10 2020 13:19:18 GMT+0800 (China Standard Time)

I don't think you need to stall PASETO efforts. E.g. the BLS I-D has apparently no issues continuing while the hash-to-point I-D is still a draft.

P.I.E. Security Team · Answer 9 · Fri Jan 10 2020 20:01:22 GMT+0800 (China Standard Time)

Speaking from experience dealing with open source communities and political decisions thereof...

IETF members can and will use "but XChaCha isn't an RFC yet!" to stall a PASETO RFC, because it competes with JOSE (which is inexplicably popular for some reason), even in the presence of a congruent counterexample. The same logic does not necessarily need to hold for other projects.

In our experience, we've discovered that community/group dynamics do not have to be logically consistent, and expecting them to be will just lead to any efforts we start being dead in the water.

The best course of action is to assume the worst and plan accordingly. That's how we've been able to make changes to the PHP core, to WordPress, and (thus far) with the IETF.

Oleg Kovalov · Answer 10 · Wed Aug 19 2020 05:12:31 GMT+0800 (China Standard Time)

Now it's at tools.ietf.org/html/draft-irtf-cfrg-xchacha-02

Well, it's also expired: Expires: July 13, 2020 @paragonie-security

P.I.E. Security Team · Answer 11 · Wed Jul 28 2021 09:09:07 GMT+0800 (China Standard Time)

We intend to revisit this in the near future.

P.I.E. Security Team · Answer 12 · Sun Aug 01 2021 03:37:52 GMT+0800 (China Standard Time)

The specification lives here: https://github.com/paseto-standard/paseto-spec
The RFC draft lives here: https://github.com/paseto-standard/paseto-rfc

I'm going to close this issue. If you don't hear about a PASETO RFC in the next few months, please feel free to open an issue in one or both of those repositories.