Re: [Cfrg] draft-irtf-cfrg-dragonfly document status
Watson Ladd <watsonbladd@gmail.com> Wed, 08 October 2014 22:46 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C1321A02DE for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 15:46:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_39=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4rRbfaWZF5Ur for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 15:46:24 -0700 (PDT)
Received: from mail-yh0-x234.google.com (mail-yh0-x234.google.com [IPv6:2607:f8b0:4002:c01::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 964E91A014B for <cfrg@irtf.org>; Wed, 8 Oct 2014 15:46:24 -0700 (PDT)
Received: by mail-yh0-f52.google.com with SMTP id f10so39960yha.25 for <cfrg@irtf.org>; Wed, 08 Oct 2014 15:46:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zbsSn2vMIvQBYfGyl+vUKg5NI4IZkwIOGjf0cwphFqk=; b=wUciATXwbnB/8MtD6xqW8ceEZjJ3U0IN7VwkL9wI8Xh+UgXCXcoFIUBCE0mN8PwU05 fPBHSrJ+yLbzrJL9ylrNrqGQxZaTuPwAkFu7DdUHSozTvdL3Q5Ue8diVvSU5Swpy7c5/ AzwwxdmGs9jjllb0R4tVfieEFCc+16fN2Nfiel5VBn5OWohH0L+IUc21p/uWpga5Meuk HZXo2O5NqU307Cnjh7RHTX4+7+75+b+2uFr4GaMl67kOBdqiW5wLzT8RP3URNOOdYHSP xZTc9Y5czIFyEe2f7P0Bqbfq7QnuwNR28f5VLBnBhjCoKox+0COnL/NAFtXMAuYA96zU cWkg==
MIME-Version: 1.0
X-Received: by 10.236.228.100 with SMTP id e94mr19460953yhq.8.1412808383911; Wed, 08 Oct 2014 15:46:23 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Wed, 8 Oct 2014 15:46:23 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Wed, 8 Oct 2014 15:46:23 -0700 (PDT)
In-Reply-To: <D05AE162.50264%paul@marvell.com>
References: <54357A2A.2010800@isode.com> <CACsn0c=222g7HHpPh++noS3H1jEhawtQAdeA1WbPObN3wZr6jQ@mail.gmail.com> <D05AE162.50264%paul@marvell.com>
Date: Wed, 08 Oct 2014 15:46:23 -0700
Message-ID: <CACsn0ckGqUVeOeP17opaynVYm5E7RLJnF4=r20zBYMidBZzEKw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Paul Lambert <paul@marvell.com>
Content-Type: multipart/alternative; boundary="001a11c2cad4dbda130504f11599"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/qIs-2m_TfwoTfa4JYCqn2jmQMmE
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] draft-irtf-cfrg-dragonfly document status
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2014 22:46:26 -0000
On Oct 8, 2014 3:26 PM, "Paul Lambert" <paul@marvell.com> wrote: > > >> >> On Oct 8, 2014 10:53 AM, "Alexey Melnikov" <alexey.melnikov@isode.com> wrote: >> > >> > Hi, >> > My apologies for taking so long on this. But I felt I needed to review mailing list discussions to make up my own mind on this topic. >> > >> > After reviewing mailing list discussions about this draft, I would like to do another RGLC on it. I've seen negative comments on the mailing list, but I've also seen some interest in this work and I am also aware that some variants of the algorithm are already implemented/deployed. Also, there were a couple of new revisions of the draft and it is not clear whether people who reported original problems are happy with how they got resolved. So I would like to see a bit more positive feedback on the latest version, in particular I would like to know if specific issues raised by earlier reviews are addressed in the latest version. > > This draft should be published as an RFC. There is considerable value in having a published stable reference document. The market should be allowed to do the estimations of risk and value to field this protocol. Just as they did with RC4 and renegotiation? > > Versions of the protocol have been adopted and fied. This protocol was first introduced into IEEE 802.11s in 2008. The base protocol exchange has also been adopted in the Wi-Fi Alliance. The protocol has been improved by the review in the cfrg and if published, the specification would positively impact the application of the protocol in other forums. > >> My comment (there is no security proof, and alternatives with better provable security) has been acknowledged to be unresolveable. > > Yes, this may be considered a negative point by some but not all. While not a proof, the protocol has been analyzed: > Cryptanalysis of the Dragonfly Key Exchange Protocol > It was interested that the only issue mentioned was a small subgroup attack if the public key is not validated …. which it always should. This analysis ignores Rene Struik's timing attack, my reflection attack, and other comments incorporated into the draft. >> >> The draft authors knew this from the very beginning. >> >> I don't think we should approve a protocol that doesn't have a security proof, particularly given that we are going to work on alternatives. > > “… Going to work on …” is the issue. The draft under discussion has been on IETF servers for 2 years. It has been used in other industry forums for four or five years. Plenty of alternatives have been put forward in those two years, including EKE+Elligator, SPAKE2, JPAKE, and SMP based solutions. The failure to advance these is inexplicable. > > Yes, the cfrg should work as quickly as possible to make alternatives. Stopping the progression of this draft does not accelerate new work, but does prevent existing applications from utilizing a reviewed and improved specification. The nonexistence of this draft did not stop adoption in Wifi. By contrast advancing a number of PAKEs will kick the issue to WGs without the capacity to evaluate the issues. >> >> There is plenty of terrible crypto in IEEE standards > > … and IETF standards. Bringing in other good or bad protocols into the discussion is irrelevant to the decision at hand. >> >> we don't issue drafts for because it is so terrible. > > Since when did the IETF mandate a security proof … There are terrible protocols with proofs, so why does the lack of a proof made something ‘terrible’. > > Paul > > > >> To the extent our publication leads to use of dragonfly as opposed to known - good protocols, it's a problem. > > > > >> > >> > Considering how difficult previous Last Call on the document was, I would like to ask people to: >> > 1) keep in mind that CFRG chairs believe that the RG should work on PAKE requirements and after that on other PAKE proposals. This was suggested by our previous co-chair David McGrew: >> > http://www.ietf.org/mail-archive/web/cfrg/current/msg03723.html >> >> Why doesn't this apply to dragonfly, but only other proposals? >> >> > 2) be professional, in particular no ad hominem attacks >> > 3) be constructive. In particular if you would like a disclaimer being added to the document, please suggest specific text. >> > 4) simple statements of support for publishing the document or objection to publishing it are fine and encouraged. Sending them directly to RG chairs is fine. But please avoid saying "but what about PAKEXXX?", due to 1). >> > 5) unlike IETF, IRTF RGs are not required to reach rough consensus. However I would like to see us try. >> > >> > Best Regards, >> > Alexey, >> > on behalf of chairs. >> > >> > _______________________________________________ >> > Cfrg mailing list >> > Cfrg@irtf.org >> > http://www.irtf.org/mailman/listinfo/cfrg > >
- [Cfrg] draft-irtf-cfrg-dragonfly document status Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Peter Gutmann
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Schmidt
- [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg… Stephen Farrell
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Paul Lambert
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Andy Lutomirski
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Mike Hamburg
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Alexey Melnikov
- [Cfrg] JPAKE and a few other things (was Re: draf… Alexey Melnikov
- [Cfrg] Writing proposals as drafts first (was Re:… Alexey Melnikov
- [Cfrg] PAKE requirements Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Yoav Nir
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Dan Harkins