RFC draft expired - Githubissues

paragonie / paseto

Platform-Agnostic Security Tokens

https://paseto.io

Other

3.24k stars 108 forks source link

RFC draft expired #108

Closed xorhash closed 3 years ago

xorhash commented 4 years ago

https://tools.ietf.org/html/draft-paragon-paseto-rfc-00 notes: “Expires: October 21, 2018” No new draft seems to have been submitted yet. This may need updating.

ishrivatsa commented 4 years ago

Was this converted to a standard ? I can find only the draft submission.

paragonie-security commented 4 years ago

No, it depends on the XChaCha draft first.

ishrivatsa commented 4 years ago

Thanks for the quick response. I noticed that the draft for that is expiring this month (JAN 2020). Will it be extended? The reason I am asking is I would like to implement this within my application but wanted to see a roadmap of PASETO becoming a standard :)

paragonie-security commented 4 years ago

XChaCha was supposed to be reviewed for standardization in 2019. We'll bug the CFRG to get this in motion as soon as we can for 2020.

Once XChaCha is an Internet standard, we'll review some of the feedback we've received from the cryptography community, amend the RFC draft, and then issue a follow-up PASETO draft.

ishrivatsa commented 4 years ago

Thanks for the update. This helps.

ghost commented 4 years ago

XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305

paragonie-security commented 4 years ago

Now it's at https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-02

CFRG thread: https://mailarchive.ietf.org/arch/msg/cfrg/coaC68uPo1nD_3rrjSh8UzHTevM

xorhash commented 4 years ago

I don't think you need to stall PASETO efforts. E.g. the BLS I-D has apparently no issues continuing while the hash-to-point I-D is still a draft.

paragonie-security commented 4 years ago

Speaking from experience dealing with open source communities and political decisions thereof...

IETF members can and will use "but XChaCha isn't an RFC yet!" to stall a PASETO RFC, because it competes with JOSE (which is inexplicably popular for some reason), even in the presence of a congruent counterexample. The same logic does not necessarily need to hold for other projects.

In our experience, we've discovered that community/group dynamics do not have to be logically consistent, and expecting them to be will just lead to any efforts we start being dead in the water.

The best course of action is to assume the worst and plan accordingly. That's how we've been able to make changes to the PHP core, to WordPress, and (thus far) with the IETF.

cristaloleg commented 4 years ago

Now it's at tools.ietf.org/html/draft-irtf-cfrg-xchacha-02

Well, it's also expired: Expires: July 13, 2020 @paragonie-security

paragonie-security commented 3 years ago

We intend to revisit this in the near future.

paragonie-security commented 3 years ago

The specification lives here: https://github.com/paseto-standard/paseto-spec
The RFC draft lives here: https://github.com/paseto-standard/paseto-rfc

I'm going to close this issue. If you don't hear about a PASETO RFC in the next few months, please feel free to open an issue in one or both of those repositories.