Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
Ralf Skyper Kaiser <skyper@thc.org> Wed, 11 December 2013 16:03 UTC
Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 522101AE01E for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 08:03:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXo6DevaApM8 for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 08:03:21 -0800 (PST)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id C9C0D1AE028 for <tls@ietf.org>; Wed, 11 Dec 2013 08:03:20 -0800 (PST)
Received: by mail-ie0-f182.google.com with SMTP id as1so11319154iec.13 for <tls@ietf.org>; Wed, 11 Dec 2013 08:03:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uwknjnpzePRsg0+e5jpYOeljmFBTkpKeTwwr5TaZrfA=; b=A9rJbRdaKvrdulBqXOr1m8vHcifWniF49Ugjxjl3mJW7q2DA2eLhY1F8d/earrk1dF 5dup++jOJKtHcG1wADaEbZ3tnCEjHe40LjssSCdSqhi/rtxTpZtOh02jbVtI8YNFVEoq BqT4MWvPpWi0ysvLcS0dKYMCKs7K8gu/cSzC0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=uwknjnpzePRsg0+e5jpYOeljmFBTkpKeTwwr5TaZrfA=; b=aqbeMGERDBsgK3sKGnYwiNpLzMrTG8tPSq/fh9fX+Qt6fZWvNl2km2V72XOiZWst68 xGF3G6zIY28fr9KwBGcr5p2KJSm7VIhfIHkHb5RMwIgZR+Hy+2IFxXG8zskBD//+vb8i dBFwzmugmF/AOzrru5N+7iAP9ZW1su+f/PgBtQqEXduCIq+Y4w0ZbAtWMn5Xf7tKGRWE vv5xt52chKJhF7egyU8b46UyTC+PvpJ4Kc68Bc/Ipv0MI4wONyD7I+diHo1n2TyQuXJ3 RiR3DLkUHBxb03zXSkgL0lt6VEiEhZm9UTQFh0NL7+CM0mmFi9pxUhISroS/zBh4E4fx rlCg==
X-Gm-Message-State: ALoCoQm+Oyo8Q3zlj18yV6aMWwET403DDqEnpwYyjDuVR8ae3EBRjOhK4qYYeOCFMk2wGTVKXFXO
MIME-Version: 1.0
X-Received: by 10.43.0.202 with SMTP id nn10mr1521402icb.54.1386777794860; Wed, 11 Dec 2013 08:03:14 -0800 (PST)
Received: by 10.64.9.41 with HTTP; Wed, 11 Dec 2013 08:03:14 -0800 (PST)
X-Originating-IP: [81.156.248.122]
In-Reply-To: <7a5a264b029777f3c0b2d2f97a362463.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <CA+BZK2p70bYGGMjJC-Dm2r4bzP_YzKh0ZODiNvnwVcSDJSLZAw@mail.gmail.com> <7a5a264b029777f3c0b2d2f97a362463.squirrel@www.trepanning.net>
Date: Wed, 11 Dec 2013 16:03:14 +0000
Message-ID: <CA+BZK2pkixVPomewb677rV8j72GXpHsY8YAR8-Qkf4aDAtPveA@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="bcaec5101cbbd86ebf04ed445dbb"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 16:03:23 -0000
Hi, I'm concerned that it will happen in practice: Same password for all users to authenticate the server. I feel that the risk should be mentioned under 'Security Considerations'. "It should be noted that any user with the knowledge of the password can impersonate the server and perform a Man-in-the-middle attack against any other user who is using the same password". (Maybe some native english speaker can make this sound like Prince Charles would say it.) Comments welcome, regards, ralf On Tue, Dec 10, 2013 at 10:06 PM, Dan Harkins <dharkins@lounge.org> wrote: > > Hi Ralf, > > On Tue, December 10, 2013 8:45 am, Ralf Skyper Kaiser wrote: > > Hi, > > > > I only joined the conversation recently. Had a quick read of > > http://tools.ietf.org/html/draft-ietf-tls-pwd-02 and have a question: > > > > In a scenario where multiple users use the same password (group > password): > > > > What prevents a user (who knows the password) to impersonating the server > > and mount a MITM between another user and the real server? > > Nothing prevents that. This protocol is not designed to support group > passwords. The password credential is assumed to be shared between > the client and the server only. > > regards, > > Dan. > > >
- Re: [TLS] Working Group Last Call for draft-ietf-… Douglas Stebila
- [TLS] Working Group Last Call for draft-ietf-tls-… Joseph Salowey (jsalowey)
- Re: [TLS] Working Group Last Call for draft-ietf-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… oscar.koeroo
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Peter Sylvester
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Eric Rescorla
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Birr-Pixton
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Manuel Pégourié-Gonnard
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins