Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)

Paul Hoffman <> Sun, 28 March 2010 14:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 684AA3A6894 for <>; Sun, 28 Mar 2010 07:39:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.616
X-Spam-Status: No, score=-3.616 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A55BMXQbTlrk for <>; Sun, 28 Mar 2010 07:39:54 -0700 (PDT)
Received: from (Balder-227.Proper.COM []) by (Postfix) with ESMTP id 2DB363A63EB for <>; Sun, 28 Mar 2010 07:39:54 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.2/8.14.2) with ESMTP id o2SEeJIF042366 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Sun, 28 Mar 2010 07:40:20 -0700 (MST) (envelope-from
Mime-Version: 1.0
Message-Id: <p06240806c7d51823a16f@[]>
In-Reply-To: <>
References: <015701cacc74$9b0f3c20$d12db460$> <> <018001cacd04$d59efc50$80dcf4f0$> <> <001001cacdd7$557f0190$007d04b0$> <> <001801cace41$98e87e10$cab97a30$> <> <000301cace6f$24b23170$6e169450$> <>
Date: Sun, 28 Mar 2010 07:39:50 -0700
From: Paul Hoffman <>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 28 Mar 2010 14:39:55 -0000

<wg-co-chair-hat on>

The disagreement between Dan and Yaron is over wording in the not-at-all normative criteria draft. This draft is not intended to become an RFC, and is not binding on the WG. It currently is being edited by Yaron; soon it will be edited by both Yaron and Dan.

>From the active thread the past few days, it seems that Dan disagrees with Yaron's view that people thinking about the PAKE primarily as a gateway-to-gateway solution. That's fine: others in the WG might take one view or the other. I ask that Dan and Yaron produce an -03 with both views in it. I note that the current WG charter does not insist that the PAKE we choose be for gateway-to-gateway, but that it does list "authentication between two servers or routers" as a motivating scenario, and does not list remote access as a motivating scenario for the proposed new work.

As WG members consider which criteria are important to them, they should also consider what scenarios we want to emphasize in the eventual document. I use the word "emphasize" here because we cannot prevent implementers and administrators from using the new authentication mechanism however they want; we have plenty of experience with IKE and IPsec documents saying "you should use this in that way" that are merrily ignored by large parts of the market.

--Paul Hoffman, Director
--VPN Consortium