Re: [kitten] SPAKE Preauth
Nathaniel McCallum <npmccallum@redhat.com> Mon, 04 May 2015 15:25 UTC
Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27C9F1A1EF3 for <kitten@ietfa.amsl.com>; Mon, 4 May 2015 08:25:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.91
X-Spam-Level:
X-Spam-Status: No, score=-5.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9CCRXE8lIih for <kitten@ietfa.amsl.com>; Mon, 4 May 2015 08:25:52 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E45E61A1BDD for <kitten@ietf.org>; Mon, 4 May 2015 08:25:51 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 984C98F024; Mon, 4 May 2015 15:25:51 +0000 (UTC)
Received: from vpn-57-206.rdu2.redhat.com (vpn-57-206.rdu2.redhat.com [10.10.57.206]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t44FPoqa001692 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 4 May 2015 11:25:51 -0400
Message-ID: <1430753150.2798.13.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Ken Hornstein <kenh@pobox.com>
Date: Mon, 04 May 2015 11:25:50 -0400
In-Reply-To: <20150504144005.AFB1A4D3E1@pb-smtp1.pobox.com>
References: <20150504144005.AFB1A4D3E1@pb-smtp1.pobox.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/xOZOjYvTB7rQhdjtPx-m4YfAwo8>
Cc: kitten@ietf.org
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 15:25:53 -0000
On Mon, 2015-05-04 at 10:40 -0400, Ken Hornstein wrote: > > Essentially, the answer is different whether OTP is supposed to be > > the > > first (and only) authentication factor, or a second factor to be > > used in > > conjunction with a password. > > See, I think you've got the question all wrong. My question is NOT, > "Is OTP supposed to be the only authentication factor?", it's, "Which > protocol is it actually possible for me to deploy successfully?" I believe the tension you are seeing here is the result of commoditization of 2FA. Early on, 2FA systems were entirely parallel authentication stacks which authenticators would need to integrate with. As 2FA commoditized, we see open protocols which can be integrated into existing authentication stacks. Pre-commiditized 2FA is the context of RFC 6560. There is no attempt here to use the existing 1FA infrastructure of Kerberos. RFC 6560 is just a fancy method for passing credentials in cleartext through Kerberos protected by FAST. The KDC then passes these credentials directly to the parallel authentication stack. It is the HTTPS Basic Auth of the Kerberos world. However, after 2FA commoditized the question becomes how can I augment my existing authentication stack (1FA Kerberos) with a 2FA method. This is what SPAKE Preauth provides. Now, I think your questions here raise an interesting point: can and should we require some standardization to use the 2FA feature of SPAKE preauth? I think the answer is no. And I've come to think that the SPAKESecondFactor type field should really be OBJECT IDENTIFIER. Nathaniel
- [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Benjamin Kaduk
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Simo Sorce
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Greg Hudson
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Nathaniel McCallum
- Re: [kitten] SPAKE Preauth Ken Hornstein
- Re: [kitten] SPAKE Preauth Simo Sorce
- Re: [kitten] SPAKE Preauth Nico Williams
- Re: [kitten] SPAKE Preauth Nico Williams
- [kitten] Bootstrapping PKINIT server certs with R… Nico Williams