Re: [IPsec] Beginning the PAKE selection process
"Dan Harkins" <dharkins@lounge.org> Mon, 24 May 2010 21:07 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B11C3A6F74 for <ipsec@core3.amsl.com>; Mon, 24 May 2010 14:07:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SescSZY4MtKr for <ipsec@core3.amsl.com>; Mon, 24 May 2010 14:07:21 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 200713A6F0E for <ipsec@ietf.org>; Mon, 24 May 2010 14:07:21 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 0A3491022404C; Mon, 24 May 2010 14:07:13 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 24 May 2010 14:07:13 -0700 (PDT)
Message-ID: <1efd1968902681a735f0f3083b2c3066.squirrel@www.trepanning.net>
In-Reply-To: <4BFADC66.3030902@gmail.com>
References: <p06240809c8170588347a@[10.20.30.158]> <4BFADC66.3030902@gmail.com>
Date: Mon, 24 May 2010 14:07:13 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: IPsecme WG <ipsec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] Beginning the PAKE selection process
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2010 21:07:22 -0000
Yaron, This is out-of-line. We had discussions on expanding the charter to include this as a work item and there was sufficient support in the WG to add it. At the time you argued against it and suggested that EAP-only was satisfactory. Now that EAP-only has finished WGLC you now want to revisit killing this work item? I object. For reasons that were not apparent (to me at least), the new charter said that the only draft specifying EAP-only was to be used as a starting point for the EAP-only work item but the only draft specifying how to solve the secure PSK work item was not. So the only reason this "overwhelming silence" didn't greet EAP-only was because this entire step was short circuited. There wasn't any discussion of EAP-only once it became work item-- perusing the list shows a whopping zero posts (!) on it between announcement of the -00 version and the start of WGLC (on the -02 version)-- yet no one called for its removal. I apologize for the tardiness of my post kicking off discussion on my candidate proposal but I was traveling for the past week-and-a-half and was otherwise indisposed. Hopefully this will start a discussion but if it doesn't then I would expect the same treatment of this work item as that given to EAP-only. You seem to alternate wearing your co-chairman's hat or not depending on what particular tactic you are employing but your strategy remains the same. I respectfully request that, when it comes to this work item, you decide whether to wear your WG co-chairman's hat or not and then stick to it. regards, Dan. On Mon, May 24, 2010 1:07 pm, Yaron Sheffer wrote: > Hi everyone, > > In the past we have had heated discussions on password-based auth. > Judging by the resounding silence over the last week, only the draft > authors are interested. If this is true, then the working group as a > whole is seemingly unable to work on this charter item. > > Personally, I would prefer a different outcome. But as a co-chair, I > would not hesitate to eliminate this work item if there is no community > support for it. > > Thanks, > Yaron > > On 05/17/2010 05:42 PM, Paul Hoffman wrote: >> Greetings again. This WG is chartered to "develop a standards-track >> extension to IKEv2 to allow mutual authentication based on 'weak' >> (low-entropy) shared secrets." The goal is to avoid off-line dictionary >> attacks without requiring the use of certificates or EAP. There are many >> already-developed algorithms that can be used, and the WG needs to pick >> one that both is believed to be secure and is believed to have >> acceptable intellectual property features. >> >> As we discussed earlier, each WG member needs to come up with their own >> criteria for making such a choice. Dan Harkins has proposed a set of >> guidelines that individuals might use when choosing; >> see<http://www.ietf.org/id/draft-harkins-ipsecme-pake-criteria-00.txt>. >> >> So far, three protocols have been proposed to the WG: >> >> -<http://tools.ietf.org/html/draft-harkins-ipsecme-spsk-auth> >> >> -<http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2> >> >> -<http://tools.ietf.org/html/draft-sheffer-ipsecme-hush> >> >> In addition, one more draft was presented to the >> WG:<http://tools.ietf.org/html/draft-shin-augmented-pake>. However the >> Augmented PAKE draft does not specify how it would be integrated into >> IKEv2. >> >> Note that more proposals might be made as we discuss; such proposals >> will hopefully be accompanied by Internet Drafts that show both the >> crypto and how it would be integrated into IKEv2. >> >> To start off this conversation, I propose that people start threads on >> the individual drafts, saying which positive and negative criteria they >> think apply to each. I also propose that replying to this message, or >> starting a thread that is supposedly about all four proposals but only >> focuses on one, is not going to help much. Of course, the authors of the >> four drafts are welcome to say why they think their proposal meets an >> optimum set of criteria, and to clarify parts of their proposals as >> others comment. >> >> Obviously these are all initial drafts, and the WG will have ample >> opportunity to improve the selected proposal later in the process. For >> now, please focus on the relative advantages and disadvantages (based on >> your personal criteria) of each of the proposals. >> >> --Paul Hoffman, Director >> --VPN Consortium >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Beginning the PAKE selection process Paul Hoffman
- Re: [IPsec] Beginning the PAKE selection process Yaron Sheffer
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Paul Hoffman
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Paul Hoffman