[Cfrg] Proposed PAKE Selection Process

Nick Sullivan <nick@cloudflare.com> Fri, 24 May 2019 18:39 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C4E76120304 for <cfrg@ietfa.amsl.com>; Fri, 24 May 2019 11:39:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id JxdKBmz3w4lw for <cfrg@ietfa.amsl.com>; Fri, 24 May 2019 11:38:58 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A273812004B for <cfrg@irtf.org>; Fri, 24 May 2019 11:38:58 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id 7so3999100uah.1 for <cfrg@irtf.org>; Fri, 24 May 2019 11:38:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=s/AleDONAnQK6k72krsZ0PqNL69jT+1homov9cfyiVI=; b=j5ubVg5yQK9MiavrQRzyBmn53hWK0rkxEAa9hFRDv0ssmlBa0OECpgDyj9fCQc5gLX 0T32+BkO8ODWhEXIqJXOvBSZbIrPEgw7jIglnoUEI94DSxOxXi7m0sSPemoh3bveTCwA 7+/lD/fk9HpIJZlxq512+WUyN4bfrTwNoR2uQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=s/AleDONAnQK6k72krsZ0PqNL69jT+1homov9cfyiVI=; b=YJlXMDC+887rLFoB7f4qrbxImxS7NuA+6N1zKrzHWo1F3hm9fQcpfPvOn90trRNIe9 B0I2jpYvvldd1P9ejig5XFBTnr+tFI4u1zUKebYGZUds6kDaWExRE6JSTuz5R10CtD82 YI/Q4zTid2j7jtjzeCJcm9xuj3TyGX4a2JkAbZwJAdzpRmMdKcqj/Auoj8X8PGitpXTE QJ9MMrAbPXPD5XBS32xpoLXBrRPaRWUBnsQeETsucf9ouSrr6vc9vaOCSF+qPK6zwSUE /4DtbAQLZ+GHJWwXdeZxqsIGDqRNf/3Dro8tY75Bh/3uCphtqhNoRviIqXKZ3E1lPmMl RQOg==
X-Gm-Message-State: APjAAAWvsdnRG+RSqVYuM+80WODzgI+Nh6TtTtzUeg+GS3cIWW8sCCTA piLNFy8Gt/cJxxdQzQqgTnM+WiUl2KK3JIGhMTcjmSe8+7kxZA==
X-Google-Smtp-Source: APXvYqxGv69usto4ue8asRVxpXypn7Q3yA6zbdsrzwr/vbslgf5PhQxxywgwhKRRfgOrkezYCCS5J/jvHLNlKv0uBwQ=
X-Received: by 2002:ab0:6099:: with SMTP id i25mr33583093ual.55.1558723136673; Fri, 24 May 2019 11:38:56 -0700 (PDT)
MIME-Version: 1.0
From: Nick Sullivan <nick@cloudflare.com>
Date: Fri, 24 May 2019 11:38:45 -0700
Message-ID: <CAFDDyk9RXZrBoQ0s0_cj_Q0PPYkaVjnx7voctz0TU8dL57B+1A@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000dd88100589a6820b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-J43ZsPw2J5MBC-k8y6--kJJtZk>
Subject: [Cfrg] Proposed PAKE Selection Process
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 18:39:01 -0000

Dear CFRG,

We’re planning to start the main phase of PAKE selection process. This
proposal was developed by Stanislav Smyshlyaev with the support of the CFRG

In addition to helping drive this PAKE selection process, Stanislav has
been selected to the role of Secretary of the CFRG, a position that was
previously vacant.

To be 100% sure that the process will be as transparent and effective as
possible, we would like to announce the proposed plan of handling the
process. If you have any concerns about the plan, please send them to the
chairs before 27.05.2019.

Step 1, 01.06.2019-30.06.2019:

·        Call for candidate protocols. Note: the chairs especially
encourage to nominate PAKEs that have been discussed in CFRG recently (the
list can be found in the slides from IETF 104 CFRG session
slide 9). Third Party nominations are encouraged.

·        Discussing the list of questions to be asked in addition to the
ones that are present in RFC 8125. Starting point for such list of
questions can be the questions gathered before IETF 104 (can be found in the
slides from IETF 104 CFRG session
slides 7-8).

Step 2, 01.07.2019-19.07.2019:

·        The designers of the protocols (or persons who volunteered to push
them forward) prepare papers with:

a.      expanded answers for all positions of RFC 8125;

b.      their own opinions on additional questions selected at Step 1 (they
could be incomplete in some sense – for example, a designer of a PAKE might
not be an expert in TLS and might not be able to reply how his PAKE can be
incorporated in TLS 1.3).

IETF 105 meeting:

·        The chairs give a review of the progress with the process and make
corrections of plans.

·        The chairs enumerate questions (from the list that has been
prepared during Step 1) which should be considered by independent reviewers
before asking the Crypto Review Panel for reviews and analysis. For
instance, it will be important that experts from other WGs consider how
certain PAKEs fits into TLS 1.3, or into IoT devices.

Further steps (subject to corrections after IETF 105 meeting).

Step 3, 01.08.2019-15.08.2019:

·        Call for reviewers for the enumerated questions, which require
additional consideration.

·        Crypto Review Panel members start the process of verification of
security proofs of the candidates (Requirement 2 in RFC 8125).

Step 4, 16.08.2019-15.09.2019:

·        The reviewers who volunteered at step 3 prepare their analysis
regarding the assigned questions.

·        Crypto Review Panel members are in the process of verification of
security proofs of the candidates (Requirement 2 in RFC 8125).

Step 5, 16.09.2019-30.10.2019:

·        Crypto Review Panel members review all gathered materials on each
of the protocols to prepare the final list of verified answers to the
positions of RFC 8125 and all additional questions from the list that has
been prepared during Step 1.

·        If additional explanations are needed, Crypto Review Panel members
ask for them from the designers.

·        Crypto Review Panel members write overall reviews for all
candidate PAKEs, based on the materials that have been gathered and

Step 6, 01.11.2019-16.11.2019:

·        CFRG chairs discuss the obtained reviews and make their
recommendations to CFRG (or convey to CFRG that they can’t make a
recommendation yet).

 IETF 106 meeting:

·        The chairs give a review of the progress with the process and make
corrections of plans.

·        If everything is clear:

o   one (or more) PAKEs are selected;

o   the process with CFRG document “Recommendations for password-based
authenticated key establishment in IETF protocols” is initiated: all
practically important recommendations (parameter selection, protecting
implementations against side-channel attacks, handling of counters etc.)
must be given there;

o   at this point documents on usage of selected PAKEs in TLS/IPsec/etc.
can be developed.

Best regards,
Nick on behalf of Stanislav, Kenny, and Alexey