IETF Logo Mail Archive

[TLS] Re: Feedback on draft-bmw-tls-pake13-01.txt

Rob Sayre <sayrer@gmail.com> Mon, 17 March 2025 16:22 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B0A3CD1B311 for <tls@mail2.ietf.org>; Mon, 17 Mar 2025 09:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olDQwNuy5WTi for <tls@mail2.ietf.org>; Mon, 17 Mar 2025 09:22:07 -0700 (PDT)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 08113D1B304 for <tls@ietf.org>; Mon, 17 Mar 2025 09:22:07 -0700 (PDT)
Received: by mail-pj1-x102a.google.com with SMTP id 98e67ed59e1d1-3018e2d042bso1368934a91.2 for <tls@ietf.org>; Mon, 17 Mar 2025 09:22:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742228526; x=1742833326; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KWGcPRJeL+DVfWR5WRBQaktTENOqVPCyLNW7oVvPBOs=; b=eRlc4l2+90tMe4aMRGyVHcycxMr73ZNPHEGbtE41bLkYI8ss7GkA0Kh3xN71gbXAKw 12Du8J6XqlH+VRpFDbA+jO9Id0odAeqlXOmCLs3R5cQjqw9EXWT8FTmH+TVpz6A4w+K6 KZjaRDlwxWow4N4C7FddVheTyYAA35pImaxAZVKMvCij5jrzh0LX0DmAg0JiUGMTTj5y F6t5mj+q/AVlpEo9h+dy6EJh2Yf9cCQwfbuTabRnqohRfSFF8yiL7t/D/74njOKphdbe aUIKNZEHfzgMP6akIfCfopJC8+Rsu1ApBMzkqKP48wolMCyZiSgQTAqrHqgxzaj0roPz erpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742228526; x=1742833326; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KWGcPRJeL+DVfWR5WRBQaktTENOqVPCyLNW7oVvPBOs=; b=CYK1Zhz3SnS7G05OWI7akuPV+Dzy30TlzZ0+b6DCrVCoxzRoTkWbobNwDmZJv3gJOK mMpUkfYEbnBuEFPCewD4YSyda7U1vOFMVNYJZpiDVUxs3Vq41b23tS6RXPvV/HHOTUPe qARrDt1aas0TnB9vdkOwJHKtNURkHP6GK52x+YHEqvPuz5xXwTIYxOCf7YEGhRFJN64b k3eOFSVIEcSLE5d4RwCpZjtQEkuLVWRX93lcJM+E5PjJb34u+mAGUUK3hjLJCzduIi+Z lZFcJZ64vFjbyTCjIRP6YYQQDUkhmSItA7Xeb45p7v7gT7hUAiReHJ0bJzC3qFx3IHE5 ukZQ==
X-Forwarded-Encrypted: i=1; AJvYcCV6sn3GosB/jWyYCoTHvVkyyS0xRW1WrCe9H4l2bJ02bAGaMmm50mLqSXsnRLnsQ+zf74g=@ietf.org
X-Gm-Message-State: AOJu0Yzux3QBjLXrj2t+ki40IPBT/j3qJYgj52fl3Qeb4BKpCYvb5C2A qf3TQhv7sOCHtcsfpb3mnXT7xdCMxuCJMYSgYiu3y7jz1tvAj2CGSGzimxwRNPX7R500cpPCFKf 3CN1JuY30qnngazMi/prYkDgQbNw=
X-Gm-Gg: ASbGncse7mBoZ69K9dzHahvRN6vKuZQH2mlLj/WsVoeme2ogpBmv3nlG5y1xqAVSlDR bH8YuoeFs30RnSpJHAdB5/aCox8HwY3lHI2uXVLOIC0EGsFJYORcM75hNZ2sAOTiKAux5cgeZj7 lC5Yba3e01WlfTSNXQdrKy76kzIeJhM8MQwWBnCFt3BFK7mUHT+1NDrLw=
X-Google-Smtp-Source: AGHT+IGMIw5cxUD3WmGZqlGUca6Wwtnhkmso1fCIZZ7t3jibBJ1E0lkPyhKTZNokQb1CiSQuj77pK6MjxvU86O3Pz10=
X-Received: by 2002:a17:90b:5288:b0:2fe:b907:3b05 with SMTP id 98e67ed59e1d1-30151dc6825mr16434644a91.29.1742228525594; Mon, 17 Mar 2025 09:22:05 -0700 (PDT)
MIME-Version: 1.0
References: <05B28816-9AA9-4035-B451-8ACFFBE2D4DE@apple.com> <CAChr6Sy1Eew1J5z9at3qEwLRWn+7ZLm0f564LobNQGMD7ANQaA@mail.gmail.com> <CABcZeBOpk2cYAyie4=G5=c6V43HvGB70fKVf_e_bQqnt_4C9WQ@mail.gmail.com> <CAF8qwaAoYEZj_t56unUAqz+SaKw6CvMFJ2NmqNmE8skmjKKSpA@mail.gmail.com> <CAChr6Sw+9bZxjcaJMNbY8UZBbmv5ZDnyb7aGtCjXcrtxvfeoew@mail.gmail.com> <CABcZeBNFPLWcYDhv1axqSwTX_w_yatfbJyih8CUMhZfkK5484g@mail.gmail.com>
In-Reply-To: <CABcZeBNFPLWcYDhv1axqSwTX_w_yatfbJyih8CUMhZfkK5484g@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Mon, 17 Mar 2025 09:21:53 -0700
X-Gm-Features: AQ5f1JpAWeOAa1eVbrfIe2ZaDHUTwewWK_TCPLb-8ueRMdzaM9O8gkVj5AzADEk
Message-ID: <CAChr6Syji7TKs6GumtmpZ8_tKXb5UK10_b6HdR1PU8Oni0pTkw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="00000000000062c06106308c30db"
Message-ID-Hash: BQQRQNANMH35M5BJULRFHSPSYFP26CTV
X-Message-ID-Hash: BQQRQNANMH35M5BJULRFHSPSYFP26CTV
X-MailFrom: sayrer@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Laura Bauman <l_bauman=40apple.com@dmarc.ietf.org>, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Feedback on draft-bmw-tls-pake13-01.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Rlx-kvuUHx9_W9ecHlY8m_5U9oM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Mar 17, 2025 at 8:49 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Mon, Mar 17, 2025 at 8:37 AM Rob Sayre <sayrer@gmail.com> wrote:
>
>> On Sun, Mar 16, 2025 at 7:52 PM David Benjamin <davidben@chromium.org>
>> wrote:
>>
>>>
>>> I'd also add that, *if* we want something PAKE-shaped in a web-like
>>> context, I don't think TLS-PAKE is a good fit for it. (Which is fine! Not
>>> everything needs to be for every use case.)
>>>
>>
>> Yes, I was thinking of mobile phone sign-in use cases. I think web
>> browsers could also offer "native" sign-in UI for people that want to use
>> it. It wouldn't be much different from my bank iOS app that lets me sign in
>> with FaceID. This kind of thing:
>>
>>
>> https://developer.apple.com/documentation/sign_in_with_apple/authenticating-users-with-sign-in-with-apple
>>
>
> The current workflow is that the user goes to example.com, which prompts
> them for their password. They then type their password into some form.
>

Yes, this is the current experience.


> With PAKE, what we want them to do is at this point to instead type it into
> some browser affordance, so that the site never sees the password.
>

Well, with that flow above, the user doesn't type their password. It looks
like this:
https://youtu.be/TmS66WNL1GE?si=pkEcjcPg1YdnDbSb&t=196


> As I
> said previously, this is technically straightforward but also phishable
> because
> training users to only type the password into the browser chrome is very
> difficult.
>
> Can you explain specifically the experience you have in mind that you think
> would avoid that risk?
>

In that ladder diagram in the link above, both sides have enough
information to bootstrap a PAKE, but the acronym is a bit of a misnomer in
this case. So, the PAKE registration process is the existing "Sign In /
Sign Up" feature. Then that data is used in the TLS handshake, but you only
need an identifier in the ClientHello to get started, because you've
verified their tokens during registration. This way is much less general
than this draft, and assumes that kind of sign-in flow. But, it's a pretty
popular pattern.

thanks,
Rob

v2.46.0 | Report a Bug | By Email | System Status