Re: [kitten] SPAKE Preauth

Ken Hornstein <kenh@pobox.com> Sat, 02 May 2015 02:58 UTC

Return-Path: <kenh@pobox.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 653A61A016B for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 19:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvu8UYf5FpFl for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 19:58:06 -0700 (PDT)
Received: from sasl.smtp.pobox.com (pb-smtp1.int.icgroup.com [208.72.237.35]) by ietfa.amsl.com (Postfix) with ESMTP id 4E25C1A0155 for <kitten@ietf.org>; Fri, 1 May 2015 19:58:06 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id AA79F4E5F1 for <kitten@ietf.org>; Fri, 1 May 2015 22:58:05 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to :subject:in-reply-to:mime-version:content-type:date:message-id; s=sasl; bh=lfrJ0goAKCeWFWZR25e1RADDVVs=; b=l6R1QfHoKOCEV3ZUjoV2 VHylAYH8ohIO+O3K03BN+oSvTmyjX4oq/yTxsG4N0z9JQOf07wg10o/bLzYwmZro YxfrfK8JXFshODKsOKmzs1Afw3HEEQwwjJw6Up/M8hzTGS4hBQR9BD4ILDTpkXW3 M0vPWWGxYySYksR4PJ0mjlg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:subject :in-reply-to:mime-version:content-type:date:message-id; q=dns; s=sasl; b=NZz09LwhpyA0d+qjS5W8h24cquufcdl+BadmwK0qsR/91vL1fdkud Nn/2ax3Ufwr/i4+hfvrHOBghsjSxaeDAyPFI47tu+s8ANINXH4GSGKHMblpGi4EQ 8ifCXopdeyNgLRtw4nheeLbt2Gq/gShsVIGLQ4ah0ZvgaPv2MSL2CY=
Received: from pb-smtp1.int.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id A41394E5EF for <kitten@ietf.org>; Fri, 1 May 2015 22:58:05 -0400 (EDT)
Received: from pendragon.internal (unknown [96.255.161.217]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 5970B4E5ED for <kitten@ietf.org>; Fri, 1 May 2015 22:58:05 -0400 (EDT)
From: Ken Hornstein <kenh@pobox.com>
To: <kitten@ietf.org>
In-Reply-To: <1430533498.2720.3.camel@redhat.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 01 May 2015 22:58:04 -0400
X-Pobox-Relay-ID: 0DF49376-F077-11E4-99D8-83E09F42C9D4-90216062!pb-smtp1.pobox.com
Message-Id: <20150502025805.A41394E5EF@pb-smtp1.pobox.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/bEou9IKKcuxOQZvAD63NX3yiHTY>
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 May 2015 02:58:09 -0000

>Speaking for myself, I want to create a high-quality integrated
>experience, not a generic one. I would prefer picking one open
>standard (such as OATH) and getting the details right. This is
>somewhat hard for me to quantify, but it arises from my experience
>implementing RFC 6560.

So ... I hate to ask this, but does this mean KITTEN is coming around
to officially deciding that OTP in Kerberos should _not_ use FAST?  I
will fully admit that I've been out of the Kerberos game for a while,
but seeing Nathan's description of the challenges with deploying FAST
makes me realize that I'd run into the exact same problems ... and that
makes me think that a FAST-based OTP would probably be very challenging
if you had a diverse Kerberos deployment.  And I simply wouldn't bother
deploying both FAST and SPAKE; I'd just pick one to make things easier.

--Ken