Re: [kitten] SPAKE Preauth
Simo Sorce <simo@redhat.com> Sun, 03 May 2015 22:32 UTC
Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC771A8A59 for <kitten@ietfa.amsl.com>; Sun, 3 May 2015 15:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.013
X-Spam-Level:
X-Spam-Status: No, score=-5.013 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhSLUpj_EOdC for <kitten@ietfa.amsl.com>; Sun, 3 May 2015 15:32:46 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B08DD1A00B0 for <kitten@ietf.org>; Sun, 3 May 2015 15:32:46 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id 042A08E795; Sun, 3 May 2015 22:32:45 +0000 (UTC)
Received: from [10.3.113.107] (ovpn-113-107.phx2.redhat.com [10.3.113.107]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t43MWieT028522; Sun, 3 May 2015 18:32:45 -0400
Message-ID: <1430692364.916.58.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Nico Williams <nico@cryptonector.com>
Date: Sun, 03 May 2015 18:32:44 -0400
In-Reply-To: <20150502230856.GF10065@localhost>
References: <1430138754.2682.10.camel@redhat.com> <20150501212003.GB10065@localhost> <1430515444.2514.14.camel@redhat.com> <20150501222257.GE10065@localhost> <1430533498.2720.3.camel@redhat.com> <20150502230856.GF10065@localhost>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/jdrvCV9Vbly_A9yGFpjYHwxdwIE>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 22:32:48 -0000
On Sat, 2015-05-02 at 18:08 -0500, Nico Williams wrote: > On Fri, May 01, 2015 at 10:24:58PM -0400, Nathaniel McCallum wrote: > > On Fri, 2015-05-01 at 17:22 -0500, Nico Williams wrote: > > > Is there any reason that a generic one couldn't be specified here? > > > > Speaking for myself, I want to create a high-quality integrated > > experience, not a generic one. I would prefer picking one open > > standard (such as OATH) and getting the details right. This is > > somewhat hard for me to quantify, but it arises from my experience > > implementing RFC 6560. > > I don't buy this. I understand and agree about how a dependency on > _FAST_ made RFC6560 difficult to deploy, and also how RFC6560's > incomplete/missing handling of *multiple* factors made it less useful > than expected. I don't think that means "generality -> bad". > > Also, I don't think a generic OTP 2nd factor here would necessarily lead > to a low-quality user experience. For all user-input OTPs, all the user > needs is a prompt, which can be sent in UTF-8 and already localized to > a language of the user's preference (since the AS ought to know what > that might be). I don't see how the user-input OTP experience can get > much better than that. I think we explicitly exclude sending unauthenticated prompts from the KDC, as it would be easy to confuse/subvert the user experience by an attacker. Because the prompts would have to be sent unauthenticated in the SPAKE algorithm we'd have to define either generic, unhelpful prompts, or define specific OTP mechanisms so that clients have prompts backed in and just reference them by id internally. > I suppose one could add media (a vine showing the act of pulling the OTP > out of one's pocket or purse, reading the OTP, then entering it on a > keyboard? an audio description of the same?), but text is quite > accessible. See above, a generic OTP would have to rely on no text coming from the KDC. Simo. -- Simo Sorce * Red Hat, Inc * New York
- [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Simo Sorce
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Simo Sorce
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- [kitten] Bootstrapping PKINIT server certs with R… Nico Williams