Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-00.txt
Dan Harkins <dharkins@lounge.org> Mon, 10 May 2021 15:03 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CA723A201A for <ipsec@ietfa.amsl.com>; Mon, 10 May 2021 08:03:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hF80Zvl7pndk for <ipsec@ietfa.amsl.com>; Mon, 10 May 2021 08:02:56 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26BD83A201C for <ipsec@ietf.org>; Mon, 10 May 2021 08:02:55 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QSW0P67RCGVEH@wwwlocal.goatley.com> for ipsec@ietf.org; Mon, 10 May 2021 10:02:55 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QSW00K98CCIEW@trixy.bergandi.net> for ipsec@ietf.org; Mon, 10 May 2021 08:00:19 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 10 May 2021 08:00:19 -0700
Date: Mon, 10 May 2021 08:02:53 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <24727.50620.391438.681442@fireball.acr.fi>
To: Tero Kivinen <kivinen@iki.fi>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>
Message-id: <491ac483-a062-3793-0a09-2df394509c01@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <161962448020.12575.13131318934919776038@ietfa.amsl.com> <40493aa4-ba3a-ad32-fda2-f5ab24d78296@nohats.ca> <6297c870-0507-b3e8-ee6e-5517bdc86bba@lounge.org> <1fcc66b-aca1-6a5-e275-35bd29b3580@nohats.ca> <872b98a9-a6fe-db41-276c-5d0a7e3aa9c5@lounge.org> <24727.50620.391438.681442@fireball.acr.fi>
X-PMAS-Software: PreciseMail V3.3 [210506] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/QsR0qMNBo2s35dDgwIE-AcKaqxQ>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 15:03:02 -0000
Hi Tero, Thanks for the clarification. I don't want to resurrect the idea here but I feel compelled to respond to this: On 5/9/21 4:21 AM, Tero Kivinen wrote: > And also I think shared key authentication also offeres exactly same > benefits than authentication with public key encryption for the > deniability point of view (i.e., either end can calculate everything > as long as they know the shared secret). With public key encryption, anyone is able to construct what looks like a valid IKE conversation between any two participants by using publicly available information (i.e. their certificates). For that capability to be done with shared key authentication it would require the shared key used for "authentication" to be known by everyone, which sort of voids the whole security of the protocol. Basically, the shared key authentication mode would only be the equivalent of public key encryption authentication mode when using the Pre-shared Key for the Internet [1], which was an April Fools draft and (I think this bears repeating these days) was not intended to be taken seriously. regards, Dan. [1] https://datatracker.ietf.org/doc/html/draft-ietf-ipsec-internet-key -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-… Paul Wouters
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-… Dan Harkins
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-… Paul Wouters
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-… Dan Harkins
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-… Dan Harkins