Re: [kitten] SPAKE Preauth

Ken Hornstein <> Sat, 02 May 2015 02:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 653A61A016B for <>; Fri, 1 May 2015 19:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vvu8UYf5FpFl for <>; Fri, 1 May 2015 19:58:06 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4E25C1A0155 for <>; Fri, 1 May 2015 19:58:06 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id AA79F4E5F1 for <>; Fri, 1 May 2015 22:58:05 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=from:to :subject:in-reply-to:mime-version:content-type:date:message-id; s=sasl; bh=lfrJ0goAKCeWFWZR25e1RADDVVs=; b=l6R1QfHoKOCEV3ZUjoV2 VHylAYH8ohIO+O3K03BN+oSvTmyjX4oq/yTxsG4N0z9JQOf07wg10o/bLzYwmZro YxfrfK8JXFshODKsOKmzs1Afw3HEEQwwjJw6Up/M8hzTGS4hBQR9BD4ILDTpkXW3 M0vPWWGxYySYksR4PJ0mjlg=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=from:to:subject :in-reply-to:mime-version:content-type:date:message-id; q=dns; s=sasl; b=NZz09LwhpyA0d+qjS5W8h24cquufcdl+BadmwK0qsR/91vL1fdkud Nn/2ax3Ufwr/i4+hfvrHOBghsjSxaeDAyPFI47tu+s8ANINXH4GSGKHMblpGi4EQ 8ifCXopdeyNgLRtw4nheeLbt2Gq/gShsVIGLQ4ah0ZvgaPv2MSL2CY=
Received: from (unknown []) by (Postfix) with ESMTP id A41394E5EF for <>; Fri, 1 May 2015 22:58:05 -0400 (EDT)
Received: from pendragon.internal (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 5970B4E5ED for <>; Fri, 1 May 2015 22:58:05 -0400 (EDT)
From: Ken Hornstein <>
To: <>
In-Reply-To: <>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 01 May 2015 22:58:04 -0400
X-Pobox-Relay-ID: 0DF49376-F077-11E4-99D8-83E09F42C9D4-90216062!
Message-Id: <>
Archived-At: <>
Subject: Re: [kitten] SPAKE Preauth
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 02 May 2015 02:58:09 -0000

>Speaking for myself, I want to create a high-quality integrated
>experience, not a generic one. I would prefer picking one open
>standard (such as OATH) and getting the details right. This is
>somewhat hard for me to quantify, but it arises from my experience
>implementing RFC 6560.

So ... I hate to ask this, but does this mean KITTEN is coming around
to officially deciding that OTP in Kerberos should _not_ use FAST?  I
will fully admit that I've been out of the Kerberos game for a while,
but seeing Nathan's description of the challenges with deploying FAST
makes me realize that I'd run into the exact same problems ... and that
makes me think that a FAST-based OTP would probably be very challenging
if you had a diverse Kerberos deployment.  And I simply wouldn't bother
deploying both FAST and SPAKE; I'd just pick one to make things easier.