Re: [kitten] SPAKE Preauth

Benjamin Kaduk <kaduk@MIT.EDU> Sat, 02 May 2015 21:59 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C3BD1A90C5 for <kitten@ietfa.amsl.com>; Sat, 2 May 2015 14:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5QsWXINgIKB for <kitten@ietfa.amsl.com>; Sat, 2 May 2015 14:59:28 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 128871A90B7 for <kitten@ietf.org>; Sat, 2 May 2015 14:59:12 -0700 (PDT)
X-AuditID: 12074422-f79cb6d000000d7b-5c-554548b04255
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 8C.08.03451.0B845455; Sat, 2 May 2015 17:59:12 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t42LxB2f027363; Sat, 2 May 2015 17:59:11 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t42Lx96r011108 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 2 May 2015 17:59:10 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t42Lx9ic007991; Sat, 2 May 2015 17:59:09 -0400 (EDT)
Date: Sat, 2 May 2015 17:59:08 -0400 (EDT)
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Ken Hornstein <kenh@pobox.com>
In-Reply-To: <20150502025805.A41394E5EF@pb-smtp1.pobox.com>
Message-ID: <alpine.GSO.1.10.1505021757480.22210@multics.mit.edu>
References: <20150502025805.A41394E5EF@pb-smtp1.pobox.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrbvBwzXU4Md2Lov+puMsFkc3r2Jx YPJYsuQnk8fFS8oBTFFcNimpOZllqUX6dglcGXv29zAXPOWo6Pgxh7WBsZG9i5GTQ0LARKL/ /XtmCFtM4sK99WxdjFwcQgKLmSRmrd/CBOFsYJR4dW4hC4RzkEli4sdNYC1CAvUSjUdOs4HY LAJaEs8714HF2QRUJGa+2QgU5+AQEVCSOHNOAiTMLCAssf7cDLASYQFlibOvToFdwSlgLTH5 5RwWEJtXwFHiUl8rC8R4K4kHTUtYQWxRAR2J1funQNUISpyc+YQFYqaWxPLp21gmMArOQpKa hSS1gJFpFaNsSm6Vbm5iZk5xarJucXJiXl5qka6pXm5miV5qSukmRlCYsrso7WD8eVDpEKMA B6MSD+8HLZdQIdbEsuLK3EOMkhxMSqK8d/8ChfiS8lMqMxKLM+KLSnNSiw8xSnAwK4nwcku7 hgrxpiRWVqUW5cOkpDlYlMR5N/3gCxESSE8sSc1OTS1ILYLJynBwKEnwrnYHahQsSk1PrUjL zClBSDNxcIIM5wEa7ghSw1tckJhbnJkOkT/FqCglzvsEJCEAksgozYPrhaWRV4ziQK8I854F qeIBpiC47ldAg5mABh+odwEZXJKIkJJqYAx8r8z+pjb9xqzOgsiYWOs68ZyTZvpTZx4OmTeD y/OPzom64JOaU34ZWGUk7s5P1udIUbNp+xY423qu/tTCZw/LH0W0Jc6p1om7lx9376/Y9/y9 TJbX4kuKy3Qen9/p/lvnMrP18uKbu7wi8puLvf/V9fxJ3udzrvZ6unigRcHE5/Ii5RYiSizF GYmGWsxFxYkAV07DP/4CAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/OdWcNRkeD0rCa7JLKsWgbl1tsk8>
Cc: kitten@ietf.org
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 May 2015 21:59:29 -0000

On Fri, 1 May 2015, Ken Hornstein wrote:

> >Speaking for myself, I want to create a high-quality integrated
> >experience, not a generic one. I would prefer picking one open
> >standard (such as OATH) and getting the details right. This is
> >somewhat hard for me to quantify, but it arises from my experience
> >implementing RFC 6560.
>
> So ... I hate to ask this, but does this mean KITTEN is coming around
> to officially deciding that OTP in Kerberos should _not_ use FAST?  I
> will fully admit that I've been out of the Kerberos game for a while,
> but seeing Nathan's description of the challenges with deploying FAST
> makes me realize that I'd run into the exact same problems ... and that
> makes me think that a FAST-based OTP would probably be very challenging
> if you had a diverse Kerberos deployment.  And I simply wouldn't bother
> deploying both FAST and SPAKE; I'd just pick one to make things easier.

Essentially, the answer is different whether OTP is supposed to be the
first (and only) authentication factor, or a second factor to be used in
conjunction with a password.

-Ben