Re: Last Call: <draft-harkins-owe-05.txt> (Opportunistic Wireless Encryption) to Informational RFC

Daniel Harkins <> Mon, 16 January 2017 17:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DD25B1295B1 for <>; Mon, 16 Jan 2017 09:09:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rCRdy15UDaOR for <>; Mon, 16 Jan 2017 09:09:20 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 15C1F1295B8 for <>; Mon, 16 Jan 2017 09:09:20 -0800 (PST)
X-ASG-Debug-ID: 1484586544-0bce8964242f9170001-h9jmKw
Received: from ([]) by with ESMTP id VQn4n8URQMV9lauH (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=NO); Mon, 16 Jan 2017 09:09:04 -0800 (PST)
Received: from ([fe80::6c58:60ca:c422:ac39]) by ([fe80::ede6:da8e:28ca:306%15]) with mapi id 14.03.0266.001; Mon, 16 Jan 2017 09:09:04 -0800
From: Daniel Harkins <>
To: Stephen Farrell <>, "" <>
Subject: Re: Last Call: <draft-harkins-owe-05.txt> (Opportunistic Wireless Encryption) to Informational RFC
Thread-Topic: Last Call: <draft-harkins-owe-05.txt> (Opportunistic Wireless Encryption) to Informational RFC
X-ASG-Orig-Subj: Re: Last Call: <draft-harkins-owe-05.txt> (Opportunistic Wireless Encryption) to Informational RFC
Thread-Index: AQHSTxdalPUxBkbw00W0YMtrb3exoaE8FRIA//+DOIA=
Date: Mon, 16 Jan 2017 17:09:04 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.1d.0.161209
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Barracuda-Connect: UNKNOWN[]
X-Barracuda-Start-Time: 1484586544
X-Barracuda-Encrypted: AES128-SHA256
X-Virus-Scanned: by bsmtpd at
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=7.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Archived-At: <>
Cc: "" <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Jan 2017 17:27:02 -0000

  Hi Stephen,

(an outlook update has fubar'd my mail response formatting so sorry for
any confusion that arises below, I'll preface with a [DNH])

On 1/16/17, 8:35 AM, "Stephen Farrell" <> wrote:

    Hi Dan, Warren,
    The (extended) last call for this is now over.
    There were minor comments from the gen-art [1] and opsdir
    reviews (not sent to a list?) and some additional editorial
    comments received offlist (from IEEE folks I believe).
    As promised, I also asked some IEEE folks about this and got
    one substantive comment, which is below. (The author of that
    didn't yet say yes when I asked if it was ok to forward their
    email, so I'll post the comment itself and send a link to this
    to the author, who can then decide to engage or not.) The
    comment was:
    "It's possible to do this via EAP, either as a new EAP method
    implementing OWE or as an extension to EAP-TLS wherein client certs are
    not required and a DH/DHE TLS ciphersuite is used. These approaches are
    squarely within IETF's jurisdiction.  Why not go that route?  Indeed
    there are a couple extra round trips required in the protocol, but you
    don't commit any standardization cardinal sins along the way. "

[DNH]There are a number of reasons not to do this with EAP. I present
them in no particular order:

  1. EAP sucks :-)
  2. What would the client put in the Identity response? Nothing?
      Typically that is used to decide which EAP method to proffer. While
      it would be possible to define how to proceed, it would be
      arbitrary and seem kind of a hackish (put "anonymous@owe" in
      the response and hope that owe is never used in a RADIUS
      routing message, or put "owe" in the response and hope that
      there are no users in the world whose username is "owe").
  3. The network would show up as "WPA-2 Enterprise" and many
      supplicants will immediately ask for a username/password. We
      want this to show up as "Open" and the client is not bothered
      in order to get opportunistic encryption. Doing EAP might cause
      the user to have to do something and that defeats the whole 
  4. There's a bunch of pointless encapsulations (TLS encapsulation, 
       EAP encapsulation, dot1x encapsulation) and pointless negotiations
       (TLS negotiation, EAP "negotiation") on top of the simple DH that
      OWE is doing. See #1.
  5. This is for small cafes and the like and these people don't know
       EAP from shinola and they certainly don't want to learn just to
       deploy OWE. While lots of the EAP-specific goo can be hidden from
       the admin it does get messy. See #4.
  6. It would require an EAP server on the AP (since we're not going to
       require AAA servers deployed in cafes just to do OWE!) which is
       more code that some low-end APs do not have. See #1.
  7. I do not believe any cardinal sins of standardization are being
      committed with OWE and therefore there is no need to solve the
      problem using a new EAP method. 

    I don't think any of the above are fatal to proceeding but would
    like if Dan and/or Warren can respond to those comments and submit
    a revised ID if one is needed. Assuming nothing major ensues as a
    result I'll put this draft on an upcoming IESG telechat.

[DNH] I don't believe a revised ID is needed based on this comment but
there is a need for a revised ID from the other comments received. Warren
and I will produce a revised ID.


    On 05/12/16 16:48, The IESG wrote:
    > The IESG has received a request from an individual submitter to consider
    > the following document:
    > - 'Opportunistic Wireless Encryption'
    >   <draft-harkins-owe-05.txt> as Informational RFC
    > The IESG plans to make a decision in the next few weeks, and solicits
    > final comments on this action. Please send substantive comments to the
    > mailing lists by 2017-01-13. Exceptionally, comments may be
    > sent to instead. In either case, please retain the
    > beginning of the Subject line to allow automated sorting.
    > Abstract
    >    This memo specifies an extension to IEEE Std 802.11 to provide for
    >    opportunistic (unauthenticated) encryption to the wireless media.
    > The file can be obtained via
    > IESG discussion can be tracked via
    > No IPR declarations have been submitted directly on this I-D.