Hi Brian, I think this <https://wiki.allseenalliance.org/_media/core/alljoyn-ec-speke-draft-2.pdf> may be what you're looking for.
-Josh On Thu, Feb 25, 2016 at 8:11 PM, Brian Witten <[email protected]> wrote: > Hi Greg, Can you send the SPEKE proposal that was mentioned earlier? > > Sent from my iPhone > > On Feb 25, 2016, at 11:31 AM, Greg Zaverucha <[email protected]> wrote: > > Josh: In a security 2.0 deployment, PSK is only used for > onboarding/claiming. In a security 1.0 deployment apps could choose to use > it however they want. > > > > Ken: deprecation will follow the regular AllJoyn deprecation process. > Here’s my understanding of the timeline: PSK will be annotated as > deprecated in 16.04. It will be supported for two releases, then still > present but unsupported for another two. > > > > Greg > > > > *From:* Josh Spain [mailto:[email protected] <[email protected]>] > *Sent:* Thursday, February 25, 2016 11:22 AM > *To:* Swinson, Ken <[email protected]> > *Cc:* Lioy, Marcello <[email protected]>; Greg Zaverucha < > [email protected]>; [email protected]; > [email protected]; > [email protected]; > [email protected] > *Subject:* Re: [Allseen-core] [AllSeen Alliance TSC] Deprecation (and > replacement) of ECDHE_PSK > > > > Greg, > > > > Can you describe the scenarios other than during onboarding in which > ECDHE_PSK is currently or would potentially be used in AllJoyn? > > > > Thanks, > > Josh > > > > On Thu, Feb 25, 2016 at 8:59 AM, Swinson, Ken <[email protected]> > wrote: > > We discussed the planned deprecation of ECDHE_PSK on an HAE working group > call this AM. A concern was raised regarding how quickly ECDHE_PSK will be > deprecated. I recall from the core working group calls that there is a > desire to deprecate this feature quickly once this new authentication > method is added. > > > > The concern raised by HAE group is that they are launching their service > frameworks on core 15.09 and will be using ECDHE_PSK for authentication. > They need to plan a transition to the new method while supporting released > products using ECDHE_PSK. > > > > I looked for and did not find a jira ticket tracking the deprecation of > ECDHE_PSK. Is there one? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Lioy, > Marcello > *Sent:* Thursday, December 10, 2015 2:58 PM > *To:* Greg Zaverucha; [email protected]; > [email protected]; > [email protected] > *Subject:* Re: [AllSeen Alliance TSC] Deprecation (and replacement) of > ECDHE_PSK > > > > As there has been no responses to this the Working Group decided in the > call today to in fact deprecate this authentication mechanism. Thanks to > Greg for driving the proves and volunteering to do the work. > > > > *From:* [email protected] [ > mailto:[email protected] > <[email protected]>] *On Behalf Of *Greg > Zaverucha > *Sent:* Thursday, December 03, 2015 2:23 PM > *To:* [email protected]; > [email protected]; > [email protected] > *Subject:* [Allseen-core] Deprecation (and replacement) of ECDHE_PSK > > > > The core working group discussed today whether to mark ECDHE_PSK as > deprecated in 16.04, and have a new mechanism called ECDHE_SPEKE replace > it. Information about the new mechanism is here: > https://jira.allseenalliance.org/browse/ASACORE-2055 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fjira.allseenalliance.org%2fbrowse%2fASACORE-2055&data=01%7c01%7cgregz%40microsoft.com%7c4597341a44b94ecf9a4808d33e18ee60%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=V5tz5nrBvluL4E7ylsu6EHXgViccaK4ZzpOWs%2bJBjW4%3d> > . The main difference between SPEKE and PSK is that SPEKE is secure even > when the pre-shared secret is a low-entropy password, while for PSK the > peers must share a key with high entropy (ideally, 128 bits). > > > > The reasons for deprecation are > > - There is no use case that ECDHE_PSK addresses that ECDHE_SPEKE > doesn’t. The primary use case for PSK in Security 2.0 is onboarding, and > SPEKE is appropriate for this use case. > > - ECDHE_PSK is easy to misuse, if an app uses a short password > instead of a high entropy key, security is lost. > > - Having two ways to do similar things causes confusion, > complicates the code (and increases TC memory footprint) > > > > Consensus on the call was to go ahead with deprecation, this email is to > give those that weren’t on the call a chance to weigh in. We’ll finalize > the decision on the core WG call next Thursday (Dec. 10th). If you have > concerns about this change, please voice them before then. > > > > Greg > > > _______________________________________________ > Allseen-core mailing list > [email protected] > https://lists.allseenalliance.org/mailman/listinfo/allseen-core > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.allseenalliance.org%2fmailman%2flistinfo%2fallseen-core&data=01%7c01%7cgregz%40microsoft.com%7c4597341a44b94ecf9a4808d33e18ee60%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=6B7x4aFJ6l0%2bCFbgN9CicPufGVQGJl2nyvlruSu6yRo%3d> > > > > _______________________________________________ > Allseen-core mailing list > [email protected] > https://lists.allseenalliance.org/mailman/listinfo/allseen-core > >
_______________________________________________ Allseen-core mailing list [email protected] https://lists.allseenalliance.org/mailman/listinfo/allseen-core
