Re: [Lake] proposed scoping text

Mališa Vučinić <> Wed, 29 April 2020 11:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A36F13A0D3A for <>; Wed, 29 Apr 2020 04:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uDmzFEk2ufzV for <>; Wed, 29 Apr 2020 04:40:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 507233A0CFE for <>; Wed, 29 Apr 2020 04:40:09 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.73,331,1583190000"; d="scan'208,217";a="347277818"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Apr 2020 13:40:03 +0200
From: =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C3469CBB-DDC3-428F-8835-A19FF2EB0355"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 29 Apr 2020 13:40:01 +0200
In-Reply-To: <>
Cc: Christopher Wood <>, "" <>
To: =?utf-8?Q?G=C3=B6ran_Selander?= <>
References: <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [Lake] proposed scoping text
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Apr 2020 11:40:19 -0000

Hi all,

Göran will publish the next version of the requirements document, i.e. the authors’ best guess at resolving the issues based on the current state of discussion on the list and on github. The aim is to solicit comments on the diff and see if we can converge on this document.


> On 29 Apr 2020, at 08:57, Göran Selander <> wrote:
> Hi Chris, 
> Please see response inline.
> On 2020-04-27, 17:33, "Christopher Wood" < <>> wrote:
>>> So, this is in fact good news for those who are concerned 
>>> about complications, since removing the PSK based authentication 
>>> protocol is a significant simplification of design, specification, 
>>> analysis, implementation and testing. 
>>    Are you suggesting that the holistic design and implementation of 
>> an AKE that uses certificates is less complicated than use of PSKs?
>> [GS] I was thinking about the part which we need to specify in LAKE, 
>> not the use of existing protocols for outside the AKE. We could compare 
>> the case of passing a reference to a device certificate to that of 
>> passing a reference to a device public key. What does the receiver have 
>> to do in the different cases? Both certificate and public key needs to 
>> be "validated" by the receiver. If the public key is pre-provisioned 
>> and never revoked that is of course a simpler case, but also has 
>> management and security implications. For the certificate reference it 
>> could be a simple validation request similar to or simultaneously with 
>> the certificate retrieval. Although the security considerations of the 
>> AKE need to prescribe validation, the validation step can be outside 
>> the AKE (assuming case 1 in my previous email). I don't know how to 
>> measure the difference but I was thinking that part to be not so 
>> complicated in comparison to a separate PSK based protocol. For the 
>> case of passing revocation information in the AKE (case 2 in my 
>> previous email) that is of course an additional effort, but there may 
>> be some low hanging fruit in that context.
>    Surely if we're considering the cost of implementing the AKE, we ought to consider all its dependencies too, right? That is, if we support certificates, we should probably consider the cost in doing so, and that cost is a measure of the AKE and whatever else is needed to "validate" them. 
> [GS] Yes, there is a cost associated to a PKI. But there is an even higher cost associated to managing PSK, in terms of provisioning, managing secret keys, etc.  If we consider all dependencies we should also add the costs associated with a compromise, the damage to the asset which is intended to be protected, the loss of brand value, etc., and that the risks associated with PSK-based deployments are much higher. Total cost of ownership is in fact one of the reasons why companies want to move away from manual provisioning towards automated certificate based trust management.
> I think it would be hard to prove that the total cost associated with PSK is lower than with certificates, which is the difference between your proposal and what is currently in the requirements draft.
> Göran
>>> But, again, I think we should 
>>> refrain from the "complication" argument and instead focus on 
>> what we 
>>> need to solve (and to get started!). 
>>> In contrast to removing certificates from the AKE, removing PSK 
>> seems 
>>> not to notably impact the desirable scenarios where this can be 
>>> applied, since RPK by reference can perform as good as PSK. 
>>> Furthermore, I interpreted Ben's mentioning of PSK and RPK as 
>> just an 
>>> example, based on the discussion we had at the latest LAKE 
>> virtual 
>>> interim about the cases where a candidate protocol can perform 
>>> optimally. Not that this subset necessarily was the subset we 
>> should 
>>> restrict to. 
>>>> it assumes some type of PKI in which these certificates exist 
>> and through 
>>>> which endpoints handle tasks such as revocation and 
>> transparency. 
>>>> That may impose requirements on the AKE. TLS had to carve out 
>>>> extension support for CT and OCSP. Is that something we want to 
>> take 
>>>> on when starting down the path towards an efficient AKE?
>>> The efficiency of the AKE need not be restricted by allowing 
>> validation 
>>> of certificates. This discussion really belongs to the design 
>> phase but 
>>> starting it anyway, there are two cases:
>>    I think the important bit here is that the AKE (TLS) had to be 
>> extended to support these emerging technologies after-the-fact. This 
>> suggests the AKE should minimally be extensible if things such as 
>> revocation are not in scope for an initial certificate-focused design.
>> [GS] Good suggestion. I think allowing some simple mechanism for 
>> verifying validity should be in the initial scope, but having it as an 
>> extension would be the backup plan.
>    That might work. I'd like to hear from others about what they think here.
>    Best,
>    Chris
> -- 
> Lake mailing list