Re: [IPsec] replacing PSKs: CFRG and PAKE
"Valery Smyslov" <smyslov.ietf@gmail.com> Mon, 10 December 2018 08:22 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7321E130F00 for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2018 00:22:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtM_SMDeXj8D for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2018 00:22:56 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9DD0130EFF for <ipsec@ietf.org>; Mon, 10 Dec 2018 00:22:55 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id z13so7276010lfe.11 for <ipsec@ietf.org>; Mon, 10 Dec 2018 00:22:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:content-language:thread-index; bh=qVcoIlwn4e4Mk8RD13cS+bsCir/O+bBOdzaBEJlWFCM=; b=g2JuBk3kd5kkLB7B+NBE+jdnLaEU3ibzF24UyHoREjIUYUgOtMaZu8jrshVchsXC1l GmKibjA4ywupf0Ys+XEPLbl55B+vz6DoDwtqsseTIBsNzcZR04Es/CHujUGYEWZjnw2u cVMijBxPQv32N8O8HnYh39jeMRUJ+XCkLrnOXrJJM3wcTAPahOckNZ75gNIz9nPvTZw2 pb+8NpKVkAjH2kwtxmRce7xIq/A1J5c67DmaabNgXrwtOmXYJWhhbBZcDNHRPwaVLhSl X1Yb3PU519EpBtqRSnO4ie+WoauO8DorJiNUT1mNhYxlzS8rheMrcoUM7bi9wtjbjMoD RQnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:content-language :thread-index; bh=qVcoIlwn4e4Mk8RD13cS+bsCir/O+bBOdzaBEJlWFCM=; b=pKjB7OYl92hTY2SFWxXgboAKC1/fwVSiIPimPenao0RIclEj1ojAruZgLLTRO7TOR8 7wx5Wtm14C+0ll0aSW5n3nF20YgZbNeeJbuuLmM0UpMz/1NFkyMVlQgCGlTgxgqDhLlv 1dPGYHyc4j2J0f5hvEOc0O6hDpyPz8vNCPpgH4iPYS2txcr4CxZfmojnNe46chW9DIOC EcFxcitHxHtsuz6x0YTGL5TBdag6qGaAbBsH41Hrl8+EZZa2wvMNPgVWMpSQKZi30a97 YmNS2tVYuTxl/EHKfThgvG1doczwauahn2hMXVeeTih3/XSKmtSfiyr+juglmp3STeo1 Ys3Q==
X-Gm-Message-State: AA+aEWZ4UQzG7enLJwQiSdpMN7FSXRNA+nDVy3QZ/FlV8MJV7MFsptf4 ihBds5dUun/dBX72edxQPQquwFPI
X-Google-Smtp-Source: AFSGD/XIyh4RG809jQF3ytnKFMvjBVc4P3k4frllon0lBA1fyx7D50B1GLA/dYJJNr2V8mHtyk0sdQ==
X-Received: by 2002:a19:1f54:: with SMTP id f81mr2133110lff.153.1544430173538; Mon, 10 Dec 2018 00:22:53 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id k11-v6sm2055068ljk.40.2018.12.10.00.22.52 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Dec 2018 00:22:52 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Michael Richardson' <mcr@sandelman.ca>, ipsec@ietf.org
References: <25207.1544136532@localhost>
In-Reply-To: <25207.1544136532@localhost>
Date: Mon, 10 Dec 2018 11:22:46 +0300
Message-ID: <026601d49061$8809ad30$981d0790$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQJjEIcGzPEj/22sYW2hroPcukYuWKRanpIg
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AMypTW229UCgNlZ4_krXc_BPMVI>
Subject: Re: [IPsec] replacing PSKs: CFRG and PAKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2018 08:22:58 -0000
Hi Michael, > I'm watching the video (in five minute intervals for unexplained > reasons... it seems like I've been watching this video for days). > > I want to +1 Dan: we need a balanced PAKE. > > I sincerely wish Tero was right: that there was no excuse not to use digital > signatures for good site-to-site, even between companies. The reason we > don't have this is because digital signatures keep getting confused with > PKIs, something John Gilmore realized 20 years ago. > > I think we should ask the CFRG to pick a single balanced PAKE for us. Why do you think balanced PAKE is more appropriate for us than augmented? > If the CFRG want to pick another PAKE for other purposes, that's fine. > I think that letting CFRG pick two PAKEs for different purposes might > free up the log jam? They've just announced in Bangkok a desire to start the process of selecting "zero or more" recommended PAKE(s) for IETF community. I believe IPsec is included :-) Another problem with PAKE is that it must be integrated into IKE somehow. EAP definitely can be used for this, but it's a bit expensive from protocol point of view. We also have RFC 6467, but it's Informational and I'm not sure it's widely supported. And while the RFC 6467 framework is flexible enough, it is still not clear for me if it can accommodate PAKEs like OPAQUE... Regards, Valery. > I also heard Dan offer to remain silent, and I just wanted to get that > on the record. > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | network architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ >
- [IPsec] replacing PSKs: CFRG and PAKE Michael Richardson
- Re: [IPsec] replacing PSKs: CFRG and PAKE Nico Williams
- Re: [IPsec] replacing PSKs: CFRG and PAKE Michael Richardson
- Re: [IPsec] replacing PSKs: CFRG and PAKE Valery Smyslov
- Re: [IPsec] replacing PSKs: CFRG and PAKE Valery Smyslov
- Re: [IPsec] replacing PSKs: CFRG and PAKE Michael Richardson
- Re: [IPsec] replacing PSKs: CFRG and PAKE Nico Williams
- Re: [IPsec] replacing PSKs: CFRG and PAKE Nico Williams
- Re: [IPsec] replacing PSKs: CFRG and PAKE Paul Wouters
- Re: [IPsec] replacing PSKs: CFRG and PAKE Paul Wouters
- Re: [IPsec] replacing PSKs: CFRG and PAKE Nico Williams
- Re: [IPsec] replacing PSKs: CFRG and PAKE Paul Wouters
- Re: [IPsec] replacing PSKs: CFRG and PAKE Michael Richardson
- Re: [IPsec] replacing PSKs: CFRG and PAKE Paul Wouters
- Re: [IPsec] replacing PSKs: CFRG and PAKE Michael Richardson
- Re: [IPsec] replacing PSKs: CFRG and PAKE Nico Williams
- Re: [IPsec] replacing PSKs: CFRG and PAKE Nico Williams
- Re: [IPsec] replacing PSKs: CFRG and PAKE Valery Smyslov
- Re: [IPsec] replacing PSKs: CFRG and PAKE Michael Richardson
- Re: [IPsec] replacing PSKs: CFRG and PAKE Michael Richardson
- Re: [IPsec] replacing PSKs: CFRG and PAKE Valery Smyslov
- Re: [IPsec] replacing PSKs: CFRG and PAKE Nico Williams
- Re: [IPsec] replacing PSKs: CFRG and PAKE Paul Wouters
- Re: [IPsec] replacing PSKs: CFRG and PAKE Paul Wouters
- Re: [IPsec] replacing PSKs: CFRG and PAKE Valery Smyslov
- Re: [IPsec] replacing PSKs: CFRG and PAKE Yoav Nir
- Re: [IPsec] replacing PSKs: CFRG and PAKE Michael Richardson