Re: [IPsec] Beginning the PAKE selection process
"Dan Harkins" <dharkins@lounge.org> Mon, 24 May 2010 23:42 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 829263A6EDE for <ipsec@core3.amsl.com>; Mon, 24 May 2010 16:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.91
X-Spam-Level:
X-Spam-Status: No, score=-4.91 tagged_above=-999 required=5 tests=[AWL=1.355, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSBqmNEv1B9Q for <ipsec@core3.amsl.com>; Mon, 24 May 2010 16:42:07 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id AAA703A6D2B for <ipsec@ietf.org>; Mon, 24 May 2010 16:42:07 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id BBDEF1022404C; Mon, 24 May 2010 16:41:59 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 24 May 2010 16:41:59 -0700 (PDT)
Message-ID: <beb64bc637fe61c9ed35ce2563333fe9.squirrel@www.trepanning.net>
In-Reply-To: <20100524215455.GV9605@oracle.com>
References: <p06240809c8170588347a@[10.20.30.158]> <4BFADC66.3030902@gmail.com> <1efd1968902681a735f0f3083b2c3066.squirrel@www.trepanning.net> <p06240832c820a32b532c@[10.20.30.158]> <20100524215455.GV9605@oracle.com>
Date: Mon, 24 May 2010 16:41:59 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: IPsecme WG <ipsec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Dan Harkins <dharkins@lounge.org>
Subject: Re: [IPsec] Beginning the PAKE selection process
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2010 23:42:08 -0000
Hi Nico, We discussed this in the WG. The non-PKIX authentication mechanism using EAP entails pointless encapsulation, twice as many messages, unnecessary code bloat from implementation of both client and server EAP state machines (where it had been the case, in RFC 4306, that an implementation only needed to do one), and the introduction of problems that didn't use to exist (like the "lying NAS" problem). The WG added this work item for a very good reason. So how do you think the work item should be solved given that the WG already decided to solve it? What do you think of my draft? Dan. On Mon, May 24, 2010 2:54 pm, Nicolas Williams wrote: > On Mon, May 24, 2010 at 02:50:23PM -0700, Paul Hoffman wrote: >> At 2:07 PM -0700 5/24/10, Dan Harkins wrote: >> > This is out-of-line. >> >> Would it have been less out-of-line if I, the other co-chair wrote it? >> Or if someone who is not a co-chair but understands how the IETF >> process is supposed to work wrote it? >> >> FWIW, I agree with what Yaron wrote. If there is little or no interest >> in advancing this work other than from the authors of the drafts, we >> should strongly consider taking it out of the WG charter. You >> disagree, and others might agree with you or with Yaron. > > Personally I'd much rather that the WG add non-PKIX authentication > mechanism options to IKEv2 via existing frameworks: either EAP or the > GSS-API. > > Nico > -- > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Beginning the PAKE selection process Paul Hoffman
- Re: [IPsec] Beginning the PAKE selection process Yaron Sheffer
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Paul Hoffman
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Paul Hoffman