Re: [Cfrg] draft-irtf-cfrg-dragonfly document status
Paul Lambert <paul@marvell.com> Wed, 08 October 2014 22:51 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983821A1A47 for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 15:51:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_39=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XW4o3vnj6squ for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 15:51:15 -0700 (PDT)
Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7B4D1A6F07 for <cfrg@irtf.org>; Wed, 8 Oct 2014 15:51:14 -0700 (PDT)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s98Mp3nu031986; Wed, 8 Oct 2014 15:51:13 -0700
Received: from sc-owa.marvell.com ([199.233.58.135]) by mx0a-0016f401.pphosted.com with ESMTP id 1pw0mtt0wm-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 08 Oct 2014 15:51:12 -0700
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA.marvell.com ([::1]) with mapi; Wed, 8 Oct 2014 15:51:12 -0700
From: Paul Lambert <paul@marvell.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 08 Oct 2014 15:51:09 -0700
Thread-Topic: [Cfrg] draft-irtf-cfrg-dragonfly document status
Thread-Index: Ac/jSlumLFPinmc/QJab72u2MW9Egw==
Message-ID: <D05B0D7D.5055A%paul@marvell.com>
References: <54357A2A.2010800@isode.com> <CACsn0c=222g7HHpPh++noS3H1jEhawtQAdeA1WbPObN3wZr6jQ@mail.gmail.com> <D05AE162.50264%paul@marvell.com> <CACsn0ckGqUVeOeP17opaynVYm5E7RLJnF4=r20zBYMidBZzEKw@mail.gmail.com>
In-Reply-To: <CACsn0ckGqUVeOeP17opaynVYm5E7RLJnF4=r20zBYMidBZzEKw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_D05B0D7D5055Apaulmarvellcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.28, 0.0.0000 definitions=2014-10-08_09:2014-10-08,2014-10-08,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1410080204
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/SiAAXPZNLSa1-Cwq-XgS6yJmdQs
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-irtf-cfrg-dragonfly document status
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2014 22:51:17 -0000
On Oct 8, 2014 3:26 PM, "Paul Lambert" <paul@marvell.com<mailto:paul@marvell.com>> wrote: > > >> >> On Oct 8, 2014 10:53 AM, "Alexey Melnikov" <alexey.melnikov@isode.com<mailto:alexey.melnikov@isode.com>> wrote: >> > >> > Hi, >> > My apologies for taking so long on this. But I felt I needed to review mailing list discussions to make up my own mind on this topic. >> > >> > After reviewing mailing list discussions about this draft, I would like to do another RGLC on it. I've seen negative comments on the mailing list, but I've also seen some interest in this work and I am also aware that some variants of the algorithm are already implemented/deployed. Also, there were a couple of new revisions of the draft and it is not clear whether people who reported original problems are happy with how they got resolved. So I would like to see a bit more positive feedback on the latest version, in particular I would like to know if specific issues raised by earlier reviews are addressed in the latest version. > > This draft should be published as an RFC. There is considerable value in having a published stable reference document. The market should be allowed to do the estimations of risk and value to field this protocol. Just as they did with RC4 and renegotiation? > > Versions of the protocol have been adopted and fied. This protocol was first introduced into IEEE 802.11s in 2008. The base protocol exchange has also been adopted in the Wi-Fi Alliance. The protocol has been improved by the review in the cfrg and if published, the specification would positively impact the application of the protocol in other forums. > >> My comment (there is no security proof, and alternatives with better provable security) has been acknowledged to be unresolveable. > > Yes, this may be considered a negative point by some but not all. While not a proof, the protocol has been analyzed: > Cryptanalysis of the Dragonfly Key Exchange Protocol > It was interested that the only issue mentioned was a small subgroup attack if the public key is not validated …. which it always should. This analysis ignores Rene Struik's timing attack, my reflection attack, and other comments incorporated into the draft. Yes, the review provided by the cfrg process has been very useful. The protocol has been improved. Now that it has been through multiple revisions it should be published. Paul >> >> The draft authors knew this from the very beginning. >> >> I don't think we should approve a protocol that doesn't have a security proof, particularly given that we are going to work on alternatives. > > “… Going to work on …” is the issue. The draft under discussion has been on IETF servers for 2 years. It has been used in other industry forums for four or five years. Plenty of alternatives have been put forward in those two years, including EKE+Elligator, SPAKE2, JPAKE, and SMP based solutions. The failure to advance these is inexplicable. > > Yes, the cfrg should work as quickly as possible to make alternatives. Stopping the progression of this draft does not accelerate new work, but does prevent existing applications from utilizing a reviewed and improved specification. The nonexistence of this draft did not stop adoption in Wifi. By contrast advancing a number of PAKEs will kick the issue to WGs without the capacity to evaluate the issues. >> >> There is plenty of terrible crypto in IEEE standards > > … and IETF standards. Bringing in other good or bad protocols into the discussion is irrelevant to the decision at hand. >> >> we don't issue drafts for because it is so terrible. > > Since when did the IETF mandate a security proof … There are terrible protocols with proofs, so why does the lack of a proof made something ‘terrible’. > > Paul > > > >> To the extent our publication leads to use of dragonfly as opposed to known - good protocols, it's a problem. > > > > >> > >> > Considering how difficult previous Last Call on the document was, I would like to ask people to: >> > 1) keep in mind that CFRG chairs believe that the RG should work on PAKE requirements and after that on other PAKE proposals. This was suggested by our previous co-chair David McGrew: >> > http://www.ietf.org/mail-archive/web/cfrg/current/msg03723.html >> >> Why doesn't this apply to dragonfly, but only other proposals? >> >> > 2) be professional, in particular no ad hominem attacks >> > 3) be constructive. In particular if you would like a disclaimer being added to the document, please suggest specific text. >> > 4) simple statements of support for publishing the document or objection to publishing it are fine and encouraged. Sending them directly to RG chairs is fine. But please avoid saying "but what about PAKEXXX?", due to 1). >> > 5) unlike IETF, IRTF RGs are not required to reach rough consensus. However I would like to see us try. >> > >> > Best Regards, >> > Alexey, >> > on behalf of chairs. >> > >> > _______________________________________________ >> > Cfrg mailing list >> > Cfrg@irtf.org<mailto:Cfrg@irtf.org> >> > http://www.irtf.org/mailman/listinfo/cfrg > >
- [Cfrg] draft-irtf-cfrg-dragonfly document status Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Peter Gutmann
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Schmidt
- [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg… Stephen Farrell
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Paul Lambert
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Andy Lutomirski
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Mike Hamburg
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Alexey Melnikov
- [Cfrg] JPAKE and a few other things (was Re: draf… Alexey Melnikov
- [Cfrg] Writing proposals as drafts first (was Re:… Alexey Melnikov
- [Cfrg] PAKE requirements Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Yoav Nir
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Dan Harkins