Hi everyone,
In the past we have had heated discussions on password-based auth.
Judging by the resounding silence over the last week, only the draft
authors are interested. If this is true, then the working group as a
whole is seemingly unable to work on this charter item.
Personally, I would prefer a different outcome. But as a co-chair, I
would not hesitate to eliminate this work item if there is no community
support for it.
Thanks,
Yaron
On 05/17/2010 05:42 PM, Paul Hoffman wrote:
Greetings again. This WG is chartered to "develop a standards-track extension to
IKEv2 to allow mutual authentication based on 'weak' (low-entropy) shared secrets."
The goal is to avoid off-line dictionary attacks without requiring the use of
certificates or EAP. There are many already-developed algorithms that can be used, and
the WG needs to pick one that both is believed to be secure and is believed to have
acceptable intellectual property features.
As we discussed earlier, each WG member needs to come up with their own criteria for
making such a choice. Dan Harkins has proposed a set of guidelines that individuals
might use when choosing;
see<http://www.ietf.org/id/draft-harkins-ipsecme-pake-criteria-00.txt>.
So far, three protocols have been proposed to the WG:
-<http://tools.ietf.org/html/draft-harkins-ipsecme-spsk-auth>
-<http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2>
-<http://tools.ietf.org/html/draft-sheffer-ipsecme-hush>
In addition, one more draft was presented to the
WG:<http://tools.ietf.org/html/draft-shin-augmented-pake>. However the
Augmented PAKE draft does not specify how it would be integrated into IKEv2.
Note that more proposals might be made as we discuss; such proposals will
hopefully be accompanied by Internet Drafts that show both the crypto and how
it would be integrated into IKEv2.
To start off this conversation, I propose that people start threads on the
individual drafts, saying which positive and negative criteria they think apply
to each. I also propose that replying to this message, or starting a thread
that is supposedly about all four proposals but only focuses on one, is not
going to help much. Of course, the authors of the four drafts are welcome to
say why they think their proposal meets an optimum set of criteria, and to
clarify parts of their proposals as others comment.
Obviously these are all initial drafts, and the WG will have ample opportunity
to improve the selected proposal later in the process. For now, please focus on
the relative advantages and disadvantages (based on your personal criteria) of
each of the proposals.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
