IETF Logo Mail Archive

Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 21 March 2014 20:24 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982D51A09F5 for <tls@ietfa.amsl.com>; Fri, 21 Mar 2014 13:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.23
X-Spam-Level:
X-Spam-Status: No, score=-1.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5_mFp2txsnp0 for <tls@ietfa.amsl.com>; Fri, 21 Mar 2014 13:24:54 -0700 (PDT)
Received: from mail-ee0-x22a.google.com (mail-ee0-x22a.google.com [IPv6:2a00:1450:4013:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 2F13B1A08FA for <tls@ietf.org>; Fri, 21 Mar 2014 13:24:54 -0700 (PDT)
Received: by mail-ee0-f42.google.com with SMTP id d17so2223338eek.29 for <tls@ietf.org>; Fri, 21 Mar 2014 13:24:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=csKKfB3Y4TaL4K3xqEJMWwe3cD3wEiquneppjV23fhA=; b=VAcg3ms65S73/dGlnc6pvjABs5sArFaPpMVU3+j0JQN3WARYBcmHPiRsQnZV+Cc4fE yofQhtlxLsraKp4PRGs/PMuzKWhZMrIO+1x4qKYkRCwClOcM8h1kCwAazWP1q9J8C6f1 J/ObMxXx6SCY8cD6hdFb6CP65qCZ87WqxvXsZMkvKThuNNqZmzEt0mI9r2qk6/aCpE/8 FbfSbVsp4DAY+zZ8qPpdz8UJYF5qt1R0fzyCDFU5yfxtDGxVw8DuKzoW/zTbI8KJCHrS qwZReSChPDIPZQbPw8/GZyALT1S0WC50ZgJhzAG0x9U87fL/Dfue9nloObxD0UKQV1uC 1Rbw==
X-Received: by 10.15.73.134 with SMTP id h6mr31614473eey.3.1395433484369; Fri, 21 Mar 2014 13:24:44 -0700 (PDT)
Received: from [10.0.0.1] (bzq-79-179-48-141.red.bezeqint.net. [79.179.48.141]) by mx.google.com with ESMTPSA id bc51sm13944046eeb.22.2014.03.21.13.24.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Mar 2014 13:24:43 -0700 (PDT)
Message-ID: <532CA00A.6070407@gmail.com>
Date: Fri, 21 Mar 2014 22:24:42 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, Paul Hoffman <paul.hoffman@vpnc.org>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com> <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com> <CALCETrVgJxfdCxZqc9ttHHNKHm-hdtGbqzHvsQ-6yd5BK=9PDw@mail.gmail.com> <67BAC033-2E23-4F03-A4D9-47875350E6B5@gmail.com> <532B0EAA.5040104@fifthhorseman.net> <8D8698DF-5C06-4F2A-8994-E0A36A987D6D@vpnc.org> <A262CD25-DD20-48A1-B74D-B0238581A419@gmail.com>
In-Reply-To: <A262CD25-DD20-48A1-B74D-B0238581A419@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0rJSaZyPYJNebZQ_qh_AAksOCDg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 20:24:56 -0000

> Huh. I was about to reply “you, me, Andy, and what army?”
>
> Seriously, we can’t establish a new norm in any forum that does not include web designers and UX people. Somewhere there are people who design the UX for people browsing Facebook, Gmail, my bank, Amazon and some web store selling dog food over the Internet. They get to decide what technology goes into the web site, and unfortunately none of them attend the meetings of any of the groups you mentioned. In fact, they don’t follow any IETF group, so we can’t even invite them all to a BoF.
>
> Given that, I don’t think any value of “we” that belongs to the IETF can establish any norms.  I wish this was different.
>
> Yoav
>

There is a (small) discipline of "security usability". For example, see 
[1]. Some things that we do have a lot to do with usability, and I think 
it's time we engaged with that community. "We" here is the SAAG 
community. This applies to PAKE, browser "padlocks" and phishing. I 
think this also applies that which shall remain unnamed, but some people 
call OE, and some other people hate them for that.

Thanks,
	Yaron

[1] https://cups.cs.cmu.edu/soups/2014/

v2.23.0 | Report a Bug | By Email