IETF Logo Mail Archive

[TLS] Re: Feedback on draft-bmw-tls-pake13-01.txt

Eric Rescorla <ekr@rtfm.com> Sun, 16 March 2025 23:16 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 52CB7C54F22 for <tls@mail2.ietf.org>; Sun, 16 Mar 2025 16:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtvvaRjmDWFP for <tls@mail2.ietf.org>; Sun, 16 Mar 2025 16:16:31 -0700 (PDT)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9BE3FC54F15 for <tls@ietf.org>; Sun, 16 Mar 2025 16:16:31 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-6f754678c29so41382587b3.0 for <tls@ietf.org>; Sun, 16 Mar 2025 16:16:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1742166991; x=1742771791; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lcIXP9qKIzUItUtL0Bec7rY2R2NkogS7HyuRQRNlb0k=; b=Yui87EWCr5qGlHKU29DwJqIOgsyBi4aA3lKPN/F2ViaxNz99EKcQzaH5POw6dR+F1a FqnYhgWkMlJckpyKQyBH29mKSdgUuUDDbKxKxofcOKYgOi9bcF5Sebuynjgaf1g0DSXN gh2K3ZaMJhYOMzyt29TzLyuYCC9KSzLmR1UzXY3+IQiCDpy6UHliKNA1UzJgdSVZf6Zu OvEDWFuNkaVFduUCZycRjDzUvEuqN/DAvt4oSYGrB9Ho5Jqd1XDuruYdqklPEnOJR5ki 1K2Uyz1PFEagW30bUjgSLh/Ly5sPEutYH7c8b3XjxAnSFB1T0zjhRtGPm+GA3bpMKb7H aB4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742166991; x=1742771791; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lcIXP9qKIzUItUtL0Bec7rY2R2NkogS7HyuRQRNlb0k=; b=bREFeomgNoOlWdMTnXPomOqPqwrt8HR1as4v6U9C2lJohzNaS8jNLEsNgg9qK9MOVY Y7GyKDZBV++V39UT1s+Ih/rV9iZSt3e7UUivuG/xuvcnjuCx+U8BRqqYdGWFl0STSfuU 3vnApyshk69/JGKaEo38BaGh49kh2kps5IE0OGwQPogAztwty+iuehCH7FnXYtvASCNz fZg1FAvxm5C9qBqb0R8hFVAQSPZ/EAzT6IukeL2WpwP0K0aZY3MDF3sZGns9IsDbe9HL zskCEOc4Habtz55M9voE3aulNbj9WBrZcd1YBGfyJch8pdckNJ1A++g0dvt1xYR1tT++ wXGQ==
X-Forwarded-Encrypted: i=1; AJvYcCUyY4qh/aBkkWMf1qmqE1IxUfyD2x2aXvCwKmYuyoatx9hCy7Dz/y5471C4BIkZtXzjRaI=@ietf.org
X-Gm-Message-State: AOJu0Yyfy43Cjw25p6gjaMwZjCSMwj9vOGCAVqNwl4cRdvw+N7UNi2Mn z2t0jf/STmNkP8u7hvB5CBsx1jO1SvXxQR8tDoGGWtE9EF4mrzVQCvGeuqO+u8cR4P1zLMzn1th lLn7GL/KwwmAJv7CH4KI7KqY4SbgkTSuYUoYRpspc+iCZwiXB
X-Gm-Gg: ASbGncvebdVgeazUXTNoVSe6tVIat6yUnhfSkYYgyUriMa6E3aAABO1bFKVCpsORpx5 U4O4S9Ewk63Mi0xgZCK1r6HrBEiS82h79qUBf7EgYJ7rtWqYOOMFIL40u/XJpCjvbfBNlmxxSJl ZJQHOCJjqf4u5tGRR/IqWMJSmV5W6m8tus3vlVKb0=
X-Google-Smtp-Source: AGHT+IFCwe2Qw0DEGZ/9tJI8EhaOptEVwzVP7Gvw8nbEBCsHWzrWeK3ph/2tRp9p+6648x/SEtbUsQTuzVZb5KzfX0c=
X-Received: by 2002:a05:690c:4c11:b0:6f7:567a:4576 with SMTP id 00721157ae682-6ff45efa7cdmr132738447b3.2.1742166991119; Sun, 16 Mar 2025 16:16:31 -0700 (PDT)
MIME-Version: 1.0
References: <05B28816-9AA9-4035-B451-8ACFFBE2D4DE@apple.com> <CAChr6Sy1Eew1J5z9at3qEwLRWn+7ZLm0f564LobNQGMD7ANQaA@mail.gmail.com>
In-Reply-To: <CAChr6Sy1Eew1J5z9at3qEwLRWn+7ZLm0f564LobNQGMD7ANQaA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 16 Mar 2025 16:15:55 -0700
X-Gm-Features: AQ5f1JorekgqqxuPuAXnDx3Lbne9dUiktUqn_z3Pq9vBn8PPYQ6QHpyDV9vk5bM
Message-ID: <CABcZeBOpk2cYAyie4=G5=c6V43HvGB70fKVf_e_bQqnt_4C9WQ@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a5463706307ddca4"
Message-ID-Hash: JEMN7MP5ZSVHHH4U3J5UYGMOFPOASBWW
X-Message-ID-Hash: JEMN7MP5ZSVHHH4U3J5UYGMOFPOASBWW
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Laura Bauman <l_bauman=40apple.com@dmarc.ietf.org>, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Feedback on draft-bmw-tls-pake13-01.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_iD5Kq9dmBpn3KWKenHP_kQiiak>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Sun, Mar 16, 2025 at 11:52 AM Rob Sayre <sayrer@gmail.com> wrote:

> On Sat, Mar 15, 2025 at 7:21 PM Laura Bauman <l_bauman=
> 40apple.com@dmarc.ietf.org> wrote:
>
>> Thanks to everyone that has taken a look at draft-bmw-tls-pake13-01.txt
>> and provided feedback so far. As more people start reading it, I wanted to
>> clarify that the current draft version does not yet reflect the change we
>> intend to make to allow Certificates and the pake extension to be used
>> together. We’ve filed a GitHub issue here tracking our intent to change
>> this: https://github.com/chris-wood/draft-bmw-tls-pake13/issues/25.
>>
>
> I'm pretty sure this is not news to authors, but I've thought about this
> one before (when the IRTF was conducting their PAKE contest). It seems like
> using both PAKE and certificates together, in combination with "Sign In"
> products would be pretty powerful. I am not sure why this draft needs TLS
> extensions, and it doesn't cover the thorny problem of PAKE registration at
> all.
>

Leaving the question of registration aside, I don't believe that PAKEs are
really viable in the Web context, for two reasons:

- Sites in general want to control the login experience and this means
having the password typed in in a box they control, not in the browser UI,
especially given the current terrible state of password UIs for browsers.
- In the phishing context, the attacker site can just prompt the user
directly for their password or simulate the PAKE UI, thus bypassing the
PAKE. The whole premise of phishing is that the user doesn't check
carefully, so I don't think we can rely on users to detect this form of
attack.

We already have phishing resistant authentication mechanisms such as
WebAuthn which don't have this problem, so I think the motivation for PAKEs
on the Web is pretty weak.


Couldn't it be click "Sign In", and start the TLS key schedule from there,
> instead of "0"? No extensions necessary.
>

Regardless of the point above, I do not believe this would work. You need
some protocol to carry the PAKE information and if that's not going in the
TLS handshake, where is it going?

-Ekr




> I decided not to work on this problem, because I figured it would make a
> lot of people mad, and I didn't want to spend my time on it. But, might as
> well ask the question since we have this draft in front of us.
>
> thanks,
> Rob
>
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status