Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

"Dan Harkins" <> Thu, 05 December 2013 17:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9F9201AE122 for <>; Thu, 5 Dec 2013 09:15:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e6C6Iulb8ErZ for <>; Thu, 5 Dec 2013 09:15:31 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D46911AE111 for <>; Thu, 5 Dec 2013 09:15:31 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 6504B1022404C; Thu, 5 Dec 2013 09:15:28 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Thu, 5 Dec 2013 09:15:28 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Date: Thu, 5 Dec 2013 09:15:28 -0800 (PST)
From: "Dan Harkins" <>
To: "Bodo Moeller" <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "" <>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Dec 2013 17:15:34 -0000

On Thu, December 5, 2013 3:48 am, Bodo Moeller wrote:
> Dan Harkins <>rg>:
> The exchange was reviewed by the CFRG with, as Joe noted, satisfactory
>> results.
> While it is true that Joe noted that, I think the point of the present
> discussion is that the protocol wasn't actually reviewed by the CFRG with
> satisfactory results.

  No, that's not really true.  There is a difference between "your
protocol has
not been proven secure" and "your protocol has a security flaw". And while
the former has been pointed out on this list and the CFRG list, the later
has not.

  You have pointed out an issue with using an in-band server-provided
domain parameter set and I'm going to address that in a subsequent version.
That's not really a flaw in the key exchange, it's how the key exchange has
been inserted into TLS and it can be addressed by some text rewrite. I
am genuinely thankful for your comment and I will address it in a
subsequent version.

  The present discussion on the list boils down to these subjects:

  1) there's no security proof and that is unacceptable (Rene, Watson)
  2) there's nothing special about this protocol so why don't you (being
      me) spend your time working on something else that we (Rene,
      Watson) think is better.
  3) the TLS-pwd benefits and your use cases are not compelling to
      me (Trevor).

The response to #1 is that security proofs have never been required
and we have standards-track protocols today that are susceptible to
offline dictionary attack (every PSK cipher suite). So it's an appeal to a
process that does not exist.

The response to #2 is that lack of implementation of these other
protocols has been hampered by patents and TLS-pwd is not
patented (and the underlying dragonfly key exchange is not patented
either). Theoretically I think there are some elegant alternatives to
TLS-pwd but practically I don't think there are. Regardless though,
there is nothing stopping Rene and/or Watson from doing any work
on any other protocol they think should be advanced. Since I am not
their slave^H^H^H^H^Hgrad student I do not feel compelled to
throw away my work and write papers and wait years as has been

(The little uptake in PAKE protocols in the IETF in the recent years is
the result of people following me around from EMU to IPsecme and
now to TLS and after I do the leg work and present a dragonfly-style
exchange someone else comes along and says "hey, me too").

The response to #3 is: so? There is rarely uniformity in viewpoints
as everyone's experience is different. Now there's a choice and if
the benefits of one are not compelling then be happy you can
choose the other.

  To sum, there has been no demonstration of a flaw against the
dragonfly protocol, just some people unhappy that I don't live up
to their standards or that my views of what is important in a PAKE
protocol is not congruent to theirs.