Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2

Paul Hoffman <> Thu, 14 April 2011 16:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D72E3E0836 for <>; Thu, 14 Apr 2011 09:56:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.612
X-Spam-Status: No, score=-101.612 tagged_above=-999 required=5 tests=[AWL=0.387, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UIL0OfO7+upY for <>; Thu, 14 Apr 2011 09:56:54 -0700 (PDT)
Received: from (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by (Postfix) with ESMTP id E5BDAE0800 for <>; Thu, 14 Apr 2011 09:56:53 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.3) with ESMTP id p3EGunwl048387 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 14 Apr 2011 09:56:50 -0700 (MST) (envelope-from
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Paul Hoffman <>
In-Reply-To: <>
Date: Thu, 14 Apr 2011 09:56:49 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
To: Nico Williams <>
X-Mailer: Apple Mail (2.1084)
Cc: "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Apr 2011 16:56:55 -0000

On Apr 14, 2011, at 9:29 AM, Nico Williams wrote:

> On Thu, Apr 14, 2011 at 11:00 AM, Paul Hoffman <> wrote:
>> On Apr 14, 2011, at 8:38 AM, Nico Williams wrote:
>>> Of course, PACE is targeting Experimental... do we care about
>>> cryptographic issues in Experimental RFCs?  I'd say we should, though
>>> less so than for Standards Track RFCs since we can only spare so much
>>> energy.
>> If we "care about" such things, they should be discussed on open mailing lists, particularly if you are criticizing academic publications related to the document.
> I'm not sure what you mean.  

I mean that the closed secdir mailing list is not an appropriate place to be discussing proposed problems with crypto protocols if the intended result is that they protocols will change or that serious design discussions happen.

> I cc'ed all, and reviewers are supposed
> to cc authors, so the authors should have a copy of my reply.  

That is not an open discussion, that forces people who are not on this mailing list to go through intermediaries.

> Also,
> over on the IPsec list we've been discussing password-based mechanisms
> (though not this one, yet, because I didn't know it was progressing so
> fast).  Since I just became aware of these issues as a result of a
> secdir posting, that's where I replied.

No problem there: I was discussing what "we" should do if "we" want discussions to have results.

> Are you suggesting that secdir reviews should always be cc'ed to the
> lists where the I-Ds in question were first reviewed?  Or that
> responders to secdir reviews should do so?  Did I do something wrong?
> Really?

No, no, no, and no.

>>> I'm rather disappointed to see this wheel reinvented.  SCRAM (RFC5802)
>>> would fit right in instead of PACE, for example, and has the same
>>> kinds of properties as PACE, but with a number of advantages over PACE
>>> (SCRAM is on the Standards Track, received much more review, uses a
>>> PBKDF with salt and iteration count, is implemented, is reusable in
>>> many contexts, does channel binding, there's an LDAP schema for
>>> storing SCRAM password verifiers, ...).
>>> We, secdir, should be encouraging wheel reuse wherever possible over
>>> wheel reinvention.
>> "We" never have encouraged that. Many of "us" are chairs of WGs whose charters explicitly allow or mandate the opposite of what you are proposing. If you want a change, it has to come from the ADs, not from "us".
> "We", secdir, are volunteers.  This volunteer would rather avoid wheel
> reinvention, and this volunteer, perhaps naively, had hoped others
> would agree.  Perhaps other volunteers disagree (you do).  I
> explicitly referred to secdir, not WG chairs, not ADs, nor did I refer
> to actual current practice, but rather stated an opinion of what we
> ought to do.

Most people on secdir are here because they are chairs of WGs in the Security Area. Maybe you are thinking of the old secdir model. :-)

> All that aside, is it really the case that "we" (secdir) don't mind
> the lack of salting?  Really?!  In 2011, four decades or so since the
> invention of salting?  

I read the paper in the PACE document and thought that it covered the design well. I even looked for follow-ups to the paper and found none (although some may have appeared since I looked). Maybe I'm naive, but I tend to assume that academic review of crypto papers on which there is also discussion in IETF WGs is sufficient for publishing something as an Experimental RFC. 

> Or did you really just mean to criticize me for
> not cc'ing the IPsec list on my reply?

No. If I meant to do that, I would have. This proposal has already been discussed in the WG for a bit over a year.

--Paul Hoffman