Re: [IPsec] [Cfrg] Beginning discussion on secure password-only authentication for IKEv2

["Blumenthal, Uri - 0662 - MITLL" <uri@ll.mit.edu>]

You're good!  :-)

On the vendor side - perhaps EKE patent concern was the cause (you implement/sell free SRP and get slapped with EKE licensing)? And the users found alternative solutions in the meanwhile?

Do you think weak passwords are too dangerous overall (many other ways of attacking them outside of direct protocol attempts that we try to defend against), and so we shouldn't entertain them at all?

Tnx!
Regards,
Uri

----- Original Message -----
From: pgut001 <pgut001@wintermute02.cs.auckland.ac.nz>
To: smb@cs.columbia.edu <smb@cs.columbia.edu>; Blumenthal, Uri - 0662 - MITLL
Cc: cfrg@irtf.org <cfrg@irtf.org>; Hannes.Tschofenig@gmx.net <Hannes.Tschofenig@gmx.net>; ipsec@ietf.org <ipsec@ietf.org>; paul.hoffman@vpnc.org <paul.hoffman@vpnc.org>
Sent: Tue Mar 02 19:41:43 2010
Subject: Re: [Cfrg] [IPsec] Beginning discussion on secure password-only authentication for IKEv2

"Steven M. Bellovin" <smb@cs.columbia.edu> writes:

>Note that the EKE patent expires in October 2011.  (At least I think it does;
>it was filed in October 1991.)  Depending on when you expect implementations
>to appear-- and given how long it takes to produce standards-track documents
>in the IETF -- it might not be a problem.

Given that SRP implementations have been available and more or less freely 
usable for quite some time and TLS-PSK is completely unencumbered anyway, I 
think the real issue won't be "when will implementations appear" but "why 
isn't anyone using them when they are available"?

(Mind you that's a layer 8 issue, and therefore not our problem :-).

Peter.