IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

"Dan Harkins" <dharkins@lounge.org> Wed, 04 December 2013 00:12 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D42D01ADD02 for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 16:12:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvcvdKzAr-_M for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 16:12:20 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id BFB6B1ADBCD for <tls@ietf.org>; Tue, 3 Dec 2013 16:12:20 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 7AE74A888012; Tue, 3 Dec 2013 16:12:17 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 3 Dec 2013 16:12:17 -0800 (PST)
Message-ID: <09dadea8236bf9e66d3e86277b4bd435.squirrel@www.trepanning.net>
In-Reply-To: <CAGZ8ZG0PuiVCYrGSLVAEF7qd+V1bBgWyxnWLfuDzhHdg3GdH1Q@mail.gmail.com>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <6b51bc68470b316cf6d38c7033c0d451.squirrel@www.trepanning.net> <CAGZ8ZG0PuiVCYrGSLVAEF7qd+V1bBgWyxnWLfuDzhHdg3GdH1Q@mail.gmail.com>
Date: Tue, 03 Dec 2013 16:12:17 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Trevor Perrin <trevp@trevp.net>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 00:12:23 -0000

On Tue, December 3, 2013 2:59 pm, Trevor Perrin wrote:
> On Tue, Dec 3, 2013 at 12:27 AM, Dan Harkins <dharkins@lounge.org> wrote:
>>
>>   Dear Rene,
>>
>> On Mon, December 2, 2013 6:28 am, Rene Struik wrote:
>>> Dear colleagues:
>>>
>>> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work
>>> that went into this draft, I have to concur with some other commenters
>>> (e.g., Doug Stebila, Bodo Moeller) that it is unclear what makes this
>>> protocol special compared to other contenders, both in terms of
>>> performance and detailed cryptanalysis. One glaring omission is
>>> detailed
>>> security evidence, which is currently lacking (cross-referencing some
>>> other standards that have specified the protocol does not by itself
>>> imply the protocol is therefore secure). I am kind of curious what
>>> technical advantages the "Dragonfly" protocol has over protocols that
>>> seem to have efficiency, detailed and crypto community reviewed
>>> evidence, such as, e.g., AugPAKE (which is another TLS-aimed draft) and
>>> others. So, if the TLS WG has considered a feature comparison, that
>>> would be good to share.
>>
>>   dragonfly is a balanced PAKE kind of exchange and it has certain
>> advantages over augmented PAKE schemes like TLS-SRP
>
> Wait, what?

  Yes, well good morning to you too!

> "Augmented PAKE" is of course better than "Balanced PAKE", as it
> allows the server to store non-usable credentials.

  This point was noted in the text you snipped in your response.

> TLS already has an "Augmented PAKE" - TLS/SRP (RFC 5054) which is
> implemented in OpenSSL and elsewhere.

  This was also mentioned in the text you snipped in your response.

> It's not used on the web, or widely, as the TLS layer is generally the
> wrong place for user authentication (e.g. leaks username, terminated
> at front-end machines without access to user credentials, etc).
>
> However, what little demand exists for a TLS PAKE seems like it's
> being adequately served by TLS-SRP.
>
> Why is the WG considering another PAKE with worse properties
> (non-augmented)?

  As has been discussed on the list, because it also has better
properties. And it has useful applications.

  A better question is, where have you been for the past 2 years?
You wait to question consideration of this draft not only after it's
been adopted as a working group item but also after WGLC has
closed on the draft!

  Dan.

v2.23.0 | Report a Bug | By Email