Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2

Paul Hoffman <> Thu, 14 April 2011 16:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 310CCE0783 for <>; Thu, 14 Apr 2011 09:00:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.843
X-Spam-Status: No, score=-101.843 tagged_above=-999 required=5 tests=[AWL=0.756, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oNTPndX4iUnb for <>; Thu, 14 Apr 2011 09:00:51 -0700 (PDT)
Received: from (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by (Postfix) with ESMTP id 683A7E0762 for <>; Thu, 14 Apr 2011 09:00:51 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.3) with ESMTP id p3EG0j11045495 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 14 Apr 2011 09:00:46 -0700 (MST) (envelope-from
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Paul Hoffman <>
In-Reply-To: <>
Date: Thu, 14 Apr 2011 09:00:45 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Nico Williams <>
X-Mailer: Apple Mail (2.1084)
Cc: "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Apr 2011 16:00:52 -0000

On Apr 14, 2011, at 8:38 AM, Nico Williams wrote:

> Of course, PACE is targeting Experimental... do we care about

> cryptographic issues in Experimental RFCs?  I'd say we should, though
> less so than for Standards Track RFCs since we can only spare so much
> energy.

If we "care about" such things, they should be discussed on open mailing lists, particularly if you are criticizing academic publications related to the document.

> I'm rather disappointed to see this wheel reinvented.  SCRAM (RFC5802)
> would fit right in instead of PACE, for example, and has the same
> kinds of properties as PACE, but with a number of advantages over PACE
> (SCRAM is on the Standards Track, received much more review, uses a
> PBKDF with salt and iteration count, is implemented, is reusable in
> many contexts, does channel binding, there's an LDAP schema for
> storing SCRAM password verifiers, ...).
> We, secdir, should be encouraging wheel reuse wherever possible over
> wheel reinvention.

"We" never have encouraged that. Many of "us" are chairs of WGs whose charters explicitly allow or mandate the opposite of what you are proposing. If you want a change, it has to come from the ADs, not from "us".

--Paul Hoffman