Re: [TLS] SRP ?
Watson Ladd <watsonbladd@gmail.com> Fri, 26 February 2016 22:00 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EED01B3117 for <tls@ietfa.amsl.com>; Fri, 26 Feb 2016 14:00:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5HZVZXsMP97 for <tls@ietfa.amsl.com>; Fri, 26 Feb 2016 14:00:56 -0800 (PST)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3718E1B3109 for <tls@ietf.org>; Fri, 26 Feb 2016 14:00:56 -0800 (PST)
Received: by mail-yw0-x229.google.com with SMTP id u200so80132545ywf.0 for <tls@ietf.org>; Fri, 26 Feb 2016 14:00:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=tUSZsBfJ4YEx8+fcPwGqzoZvrO98zWhSG1Pg5FvDJEo=; b=voQDZk0yN3Ob4ZcEW9Vc88eQWzCmqlvxw254avwLQQTW2hcUpMznX70IkSAsozO1Cw ET4QWrjyZZN9ZtlTaU4cbkiCYJiQVgrgJrgUDkgdH2xtzSTCAR91B5cSPo14MHTG0cln wxVBZQyKQQHYGZpFtKzgLwkiHp+02Nkvf0zUSSubGfA/1dCIFWTZz1VMVt/f3DOklrdm +YVqFZN2UkKKbTF3HOTcYu6XiSNInGN06abtJaZHidO0wmnn4JyddXLFSKr/vuGnbuiL TWszWd6NX28eT7KL9Nhs3YEx/Yg/+Ii0/K/3yP0Ygthb/MjTFQvWeGAZOj2AIHEN6e4m hKPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=tUSZsBfJ4YEx8+fcPwGqzoZvrO98zWhSG1Pg5FvDJEo=; b=jv1pcWYrcSQ7HlpvO9z93l+gh8bNrApC2TTG+xX9CMYxmFuo4Ko9DX81C6yxQNw9To g9alhUKoyV7C8dDlTcZA9voPfRcdSf7kwNURkBVsjKSclCAfFxlOhW9xWLLnnewfrMKJ T9Zvi16EkKz9sH9f0y4kB/+qUphkoT+f54q8RLdkHnFFebz+jkrcjrZbvSClNt2KAS8U z9FMTPny0hxz/lLoqk7WxUkEcDx2var6osWM5A5x+fiJWQZlPDsXyJZ3i7KGcWXbqI2J 4IXqhlbbJ8UPOmhvKxCkr2/QxwYFgst9iVyaKMTxihlO1CgiKkzad3Lc6V++1Et9Q+Oh +dhQ==
X-Gm-Message-State: AD7BkJLIlBsnb89zQaNa3vXBro59RgGuG8uS/EMavrRTXF/e+orK5iPokk7hNL9KGUUvgjlcmVrjIL3xynmEmw==
MIME-Version: 1.0
X-Received: by 10.13.226.86 with SMTP id l83mr2398812ywe.239.1456524055427; Fri, 26 Feb 2016 14:00:55 -0800 (PST)
Received: by 10.13.216.138 with HTTP; Fri, 26 Feb 2016 14:00:54 -0800 (PST)
Received: by 10.13.216.138 with HTTP; Fri, 26 Feb 2016 14:00:54 -0800 (PST)
In-Reply-To: <b140eee8b85c4c29c320f183c942ebd7.squirrel@www.trepanning.net>
References: <30c15e55fd524e8bbba814f4898c3f95@ustx2ex-dag1mb1.msg.corp.akamai.com> <248E1E7C-72CB-4A20-B1E3-8CA051560FAC@azet.org> <56CE27D1.7060002@openfortress.nl> <984408eba26e6fd8474bfa45ec317ddc.squirrel@www.trepanning.net> <CACsn0cm7msHxQ_+5WBq64CXJ5ZmS6JODhJb8-m_QSEAE2EPHiA@mail.gmail.com> <b140eee8b85c4c29c320f183c942ebd7.squirrel@www.trepanning.net>
Date: Fri, 26 Feb 2016 14:00:54 -0800
Message-ID: <CACsn0cnkWzAi2cnDieqkwvrtrWT+OXVc7KC923_ArL04gE3rtg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="001a114fc152ee4882052cb36e55"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/KjBokrRuwQHj8319YTMAyaughNA>
Cc: tls@ietf.org
Subject: Re: [TLS] SRP ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2016 22:00:58 -0000
On Feb 26, 2016 11:26 AM, "Dan Harkins" <dharkins@lounge.org> wrote: > > > On Thu, February 25, 2016 11:41 pm, Watson Ladd wrote: > > On Thu, Feb 25, 2016 at 11:33 PM, Dan Harkins <dharkins@lounge.org> wrote: > >> > >> Hi, > >> > >> On Wed, February 24, 2016 1:59 pm, Rick van Rein wrote: > >>> Hi, > >>> > >>>> Although the lack of modern cipher-suites for SRP makes it not very > >>>> attractive these days. > >>>> > >>> Does anyone know if work on something like "ECSRP" is going on, > >>> anywhere? > >>> > >>> We've recently worked on getting it working with PKCS #11, > >>> > >>> https://github.com/arpa2/srp-pkcs11 > >>> https://github.com/arpa2/srp-pkcs11/blob/rfc5054_compat/doc/design/srp-pkcs11.pdf > >>> > >>> It could be interesting to see if this translates to the Elliptic Curve > >>> arena. > >>> > >>> I heard rumours of alternatives being weighed against one another, but > >>> failed to find anything concrete. Links are quite welcome! > >> > >> Well there's TLS-PWD. Works just fine with ECC. Also provides > >> for protection of the client username from passive attack. > >> > >> https://tools.ietf.org/html/draft-ietf-tls-pwd-07 > > > > As well as my SPAKE2 draft, which can fit in TLS easily. The real > > problem here is that there is no reason not to use certificates in a > > lot of cases. > > Well if you're using a browser I'd agree with you. But when TLS > is used to protect non-browser traffic there are plenty of cases > where you won't have an implicit trust anchor database or you're > going to some server administered by someone who most likely only > has a self-signed cert (Let's Encrypt makes it easy to get a cert > for a web server but, again, that's kind of browser-centric). > > I address the case for certificate-less authentication in section > 1.1 of the TLS-PWD I-D. The right solution is to make certificates easy. SSH solved this years ago. (Yes, I'm aware devices don't necessarily have a "trust anchor". Passwords assume enough input capacity to solve this probem.) > > regards, > > Dan. > > >> > >> Thanks for reminding me to update that draft :-) > >> > >> Dan. > >> > >>> -Rick > >>> > >>> _______________________________________________ > >>> TLS mailing list > >>> TLS@ietf.org > >>> https://www.ietf.org/mailman/listinfo/tls > >>> > >> > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > > > > > > -- > > "Man is born free, but everywhere he is in chains". > > --Rousseau. > > > >
- [TLS] SRP ? Salz, Rich
- Re: [TLS] SRP ? John Foley
- Re: [TLS] SRP ? Rick van Rein
- Re: [TLS] SRP ? Aaron Zauner
- Re: [TLS] SRP ? Salz, Rich
- Re: [TLS] SRP ? Rick van Rein
- Re: [TLS] SRP ? Dan Harkins
- Re: [TLS] SRP ? Watson Ladd
- Re: [TLS] SRP ? Dan Harkins
- Re: [TLS] SRP ? Rick van Rein
- Re: [TLS] SRP ? Watson Ladd