Hi Michael, > I'm watching the video (in five minute intervals for unexplained > reasons... it seems like I've been watching this video for days). > > I want to +1 Dan: we need a balanced PAKE. > > I sincerely wish Tero was right: that there was no excuse not to use digital > signatures for good site-to-site, even between companies. The reason we > don't have this is because digital signatures keep getting confused with > PKIs, something John Gilmore realized 20 years ago. > > I think we should ask the CFRG to pick a single balanced PAKE for us.
Why do you think balanced PAKE is more appropriate for us than augmented? > If the CFRG want to pick another PAKE for other purposes, that's fine. > I think that letting CFRG pick two PAKEs for different purposes might > free up the log jam? They've just announced in Bangkok a desire to start the process of selecting "zero or more" recommended PAKE(s) for IETF community. I believe IPsec is included :-) Another problem with PAKE is that it must be integrated into IKE somehow. EAP definitely can be used for this, but it's a bit expensive from protocol point of view. We also have RFC 6467, but it's Informational and I'm not sure it's widely supported. And while the RFC 6467 framework is flexible enough, it is still not clear for me if it can accommodate PAKEs like OPAQUE... Regards, Valery. > I also heard Dan offer to remain silent, and I just wanted to get that > on the record. > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | network architect [ > ] [email protected] http://www.sandelman.ca/ | ruby on rails > [ > _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
