Re: [IPsec] Beginning the PAKE selection process
Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 24 May 2010 20:07 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9B3F3A6FD8 for <ipsec@core3.amsl.com>; Mon, 24 May 2010 13:07:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kEO0q16Z4X9H for <ipsec@core3.amsl.com>; Mon, 24 May 2010 13:07:21 -0700 (PDT)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by core3.amsl.com (Postfix) with ESMTP id 3ACF53A6B0A for <ipsec@ietf.org>; Mon, 24 May 2010 13:07:21 -0700 (PDT)
Received: by fg-out-1718.google.com with SMTP id 22so1014274fge.13 for <ipsec@ietf.org>; Mon, 24 May 2010 13:07:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=uF+srRM/IZkA+IIVkCmZc9zJlsFqSnoxuSI6e0IfqDY=; b=JYxEqqPpDD5vfptUO+qwF7CN+JzbvTjQ8dG4SpH5y554x81NOhk5YgIU7HIuKP4iZl ZExPHDna/Oe/97n4znOy1byHD6tIcAiFavhzK/3jSVytEl755CpniaVOXVf7EkN8otxW QRuSlijvPDmbsZ214WLvII26i83+vkrXUahIk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=PKbv7NVLnjAawnEdoZf9Rz29ANpcGWW9rfGM19985KXrR0NCxJW2kcEgJqSEqSPXze /bVRQf9jhLw2ep37YNjTDLXnK8v7KVjsdDv9Y8SPQ6Ai6IGtDYZ5hr3K5IxgV1FDBYrL w0xXUB3S09vhrq45lEAcfkioP7kQcvN5IHPdQ=
Received: by 10.87.47.6 with SMTP id z6mr8985472fgj.13.1274731628126; Mon, 24 May 2010 13:07:08 -0700 (PDT)
Received: from [10.0.0.1] (bzq-79-178-45-8.red.bezeqint.net [79.178.45.8]) by mx.google.com with ESMTPS id k29sm6145388fkk.15.2010.05.24.13.07.04 (version=SSLv3 cipher=RC4-MD5); Mon, 24 May 2010 13:07:05 -0700 (PDT)
Message-ID: <4BFADC66.3030902@gmail.com>
Date: Mon, 24 May 2010 23:07:02 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <p06240809c8170588347a@[10.20.30.158]>
In-Reply-To: <p06240809c8170588347a@[10.20.30.158]>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Beginning the PAKE selection process
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2010 20:07:22 -0000
Hi everyone, In the past we have had heated discussions on password-based auth. Judging by the resounding silence over the last week, only the draft authors are interested. If this is true, then the working group as a whole is seemingly unable to work on this charter item. Personally, I would prefer a different outcome. But as a co-chair, I would not hesitate to eliminate this work item if there is no community support for it. Thanks, Yaron On 05/17/2010 05:42 PM, Paul Hoffman wrote: > Greetings again. This WG is chartered to "develop a standards-track extension to IKEv2 to allow mutual authentication based on 'weak' (low-entropy) shared secrets." The goal is to avoid off-line dictionary attacks without requiring the use of certificates or EAP. There are many already-developed algorithms that can be used, and the WG needs to pick one that both is believed to be secure and is believed to have acceptable intellectual property features. > > As we discussed earlier, each WG member needs to come up with their own criteria for making such a choice. Dan Harkins has proposed a set of guidelines that individuals might use when choosing; see<http://www.ietf.org/id/draft-harkins-ipsecme-pake-criteria-00.txt>. > > So far, three protocols have been proposed to the WG: > > -<http://tools.ietf.org/html/draft-harkins-ipsecme-spsk-auth> > > -<http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2> > > -<http://tools.ietf.org/html/draft-sheffer-ipsecme-hush> > > In addition, one more draft was presented to the WG:<http://tools.ietf.org/html/draft-shin-augmented-pake>. However the Augmented PAKE draft does not specify how it would be integrated into IKEv2. > > Note that more proposals might be made as we discuss; such proposals will hopefully be accompanied by Internet Drafts that show both the crypto and how it would be integrated into IKEv2. > > To start off this conversation, I propose that people start threads on the individual drafts, saying which positive and negative criteria they think apply to each. I also propose that replying to this message, or starting a thread that is supposedly about all four proposals but only focuses on one, is not going to help much. Of course, the authors of the four drafts are welcome to say why they think their proposal meets an optimum set of criteria, and to clarify parts of their proposals as others comment. > > Obviously these are all initial drafts, and the WG will have ample opportunity to improve the selected proposal later in the process. For now, please focus on the relative advantages and disadvantages (based on your personal criteria) of each of the proposals. > > --Paul Hoffman, Director > --VPN Consortium > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Beginning the PAKE selection process Paul Hoffman
- Re: [IPsec] Beginning the PAKE selection process Yaron Sheffer
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Paul Hoffman
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Paul Hoffman