On Sun, 3 Jul 2016, Yoav Nir wrote:
3) The Internet Draft Currently under consideration is not the best starting
point as it assumes that post-quantum pre-shared keys are the preferred
solution for quantum resistance. This is not obviously the case; there are a
number of drawbacks with the suggested system:
I think this misstates the problem that the draft is trying to solve. The draft
is not a solution to the problem of authenticating peers in a world where
adversaries have quantum computers. The draft is a solution to the problem of
authenticating peers *using pre-shared keys* in such a world. There may be
different solutions for authenticating peers with other credentials.
That was not clear to me when we were asking for adoption of the
document. In one way, I have less issues with it if the document
can clearly state that is the scope of it. On the other hand, we
might want to have a discussion about the security of PSK in general,
and whether the method deserves to be obsoleted completely because
of its continued weak deployments (eg see Snowden leaks)
However, with my vendor hat on, I know that PSKs are used extensively (and
nobody’s asking me whether this is a good idea or not), and I have heard that
some users are beginning to ask questions about quantum resistance.So I believe
that there is a problem to solve here.
I can see that point. As vendor it is hard to tell people not to do a
certain deployment because it is seen as "easiest". However with our
IETF protocol designer hats on, this should not be a strong argument.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
