Re: [kitten] SPAKE Preauth

Ken Hornstein <> Tue, 05 May 2015 04:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CF4601A90BA for <>; Mon, 4 May 2015 21:17:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SpfJtvItLqB6 for <>; Mon, 4 May 2015 21:17:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4B8F51A9062 for <>; Mon, 4 May 2015 21:17:38 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 832F241429 for <>; Tue, 5 May 2015 00:17:36 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=from:to :subject:in-reply-to:mime-version:content-type:date:message-id; s=sasl; bh=E1OyzhYR27RAwQ7+8D8hf9KO6yw=; b=tpCYqkZI6hQRWxZL+aeR 8PXRCtdheybpW8843YZE4DfGXCDzwttSJSX7zLO77mogJMcL4mgCcabY87aWik08 i6VynW++6VCPTM8Inammz5j0NzBVk0DtAw4oBnrh3YGcuTsxX0THoel4G2kRdzBq wzFwpgaZ8lB+fAcdAAdKYug=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=from:to:subject :in-reply-to:mime-version:content-type:date:message-id; q=dns; s=sasl; b=d4nhq6TCTHDPnajnXA3y+RIwblPul6QLWbkrcFm4Sc2ddQ7lWxKCi 7JQ1cVXMa82Q0wKCS+KIpqsoEDz6HqXomXq6lvlZydgFJc8ee6mhR5j+MZ6jkok9 cB4VGcFErIxgMaLhpsNXATY31CgrgeKeS4qzGDYrTZe8sIBLU6NAJQ=
Received: from (unknown []) by (Postfix) with ESMTP id 7CC3741428 for <>; Tue, 5 May 2015 00:17:36 -0400 (EDT)
Received: from paradise-falls.internal (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 2A1AF41426 for <>; Tue, 5 May 2015 00:17:36 -0400 (EDT)
From: Ken Hornstein <>
In-Reply-To: <>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 05 May 2015 00:17:34 -0400
X-Pobox-Relay-ID: A8D18710-F2DD-11E4-AEC3-83E09F42C9D4-90216062!
Message-Id: <>
Archived-At: <>
Subject: Re: [kitten] SPAKE Preauth
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 May 2015 04:17:41 -0000

>> I do not quite understand your point ... are you saying that your I-D
>> should completely specify how all 2FA systems work with SPAKE?  And
>> personally I'd vote to keeping SPAKESecondFactor an Int32 rather than
>> an OID.
>No. I'm saying a vendor can define their own 2FA and assign it an
>enterprise OID number and use it out of the box. No standardization
>Then we would create some IETF OIDs for open protocols (such as OATH
>and U2F).

I'm wondering how that is better than the "normal" Kerberos scheme where
vendors can register their 2FA or whatever with IANA.

And on further thought ... I realize that I'm strongly with Nico in that
a generic OTP should be specified somewhere.  I know you mentioned U2F,
but that just seems like an additional unnecessary layer (also, the U2F
protocol seems to be web-specific, in that it mentions adding the origin
URL and TLS channel ID to the authentication flow).  Sure, if people
want to use U2F no objections here, but it just seems lousy that the
initial specification(s) don't mention a generic OTP protocol; like Nico
said, there are a ton of these devices.