Yoav Nir wrote:
> I don’t think the idea is to replace a 128-bit PSK derived from a properly
> seeded DRBG with “ip5ecmeRockz!” using a PAKE.
Please! The official PSK is "makemetastegoat"
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Hi, Valery
> On 12 Dec 2018, at 11:02, Valery Smyslov wrote:
>
>>> I see this as a social issue, not a technical one. We can't prevent
>>> administrators from being careless, either with PSKs or with passwords.
>>
>> We can make more secure deployments easier.
>>
>> If the only change on the
> > I see this as a social issue, not a technical one. We can't prevent
> > administrators from being careless, either with PSKs or with passwords.
>
> We can make more secure deployments easier.
>
> If the only change on the site-to-site config is to change the keyword
> "psk" to "pake" and
On Tue, 11 Dec 2018, Valery Smyslov wrote:
What I heard from the IPsecME record was that many in the room
felt that this was where ther was a weakness.
I see this as a social issue, not a technical one. We can't prevent
administrators from being careless, either with PSKs or with passwords.
On Tue, 11 Dec 2018, Nico Williams wrote:
- you're not entirely sure that you don't have weak PSKs and would like
to strengthen them
I think that this is the major reason.
OK, but you can always convert the real weak PSKs to either PK-{I,raw}
or EAP depending on whether the "client" is
On Tue, Dec 11, 2018 at 07:21:26AM -0500, Michael Richardson wrote:
> Nico Williams wrote:
> > On Mon, Dec 10, 2018 at 09:20:54PM -0500, Michael Richardson wrote:
> > > Paul Wouters wrote:
> > > > > yes, typo, "not for road-warrior"
> > > >
> > > > I understood. I disagree with the “not”. Road
> > I think that using PAKE for road warriors is more important than for
> > site-to-site VPNs. In the latter case the SGWs are usually administered
> > by (presumably :-)) experienced administrators, who can select a
> > high-entropy
> > PSK, and these PSKs need not to be memorable by users. So,
Valery Smyslov wrote:
> I think that using PAKE for road warriors is more important than for
> site-to-site VPNs. In the latter case the SGWs are usually administered
> by (presumably :-)) experienced administrators, who can select a high-entropy
> PSK, and these PSKs need not to be memorable by
Nico Williams wrote:
> On Mon, Dec 10, 2018 at 09:20:54PM -0500, Michael Richardson wrote:
> > Paul Wouters wrote:
> > > > yes, typo, "not for road-warrior"
> > >
> > > I understood. I disagree with the “not”. Road warriors using group psk is
> > > a
> > > thing, sadly.
> >
> > But they aren't
Hi Paul,
I think that using PAKE for road warriors is more important than for
site-to-site VPNs. In the latter case the SGWs are usually administered
by (presumably :-)) experienced administrators, who can select a high-entropy
PSK, and these PSKs need not to be memorable by users. So, generally
On Mon, Dec 10, 2018 at 09:20:54PM -0500, Michael Richardson wrote:
> Paul Wouters wrote:
> > > yes, typo, "not for road-warrior"
> >
> > I understood. I disagree with the “not”. Road warriors using group psk is a
> > thing, sadly.
>
> But they aren't cross-domain, they can do EAP-foobar, and
On Mon, Dec 10, 2018 at 08:58:15PM -0500, Paul Wouters wrote:
> On Mon, 10 Dec 2018, Nico Williams wrote:
> >>That is still missing OTP support :(
> >
> >If you have the private keys locked unextractably in a hardware token
> >that requires a PIN to unlock, then you have two factors right there.
>
Paul Wouters wrote:
> > On Dec 10, 2018, at 19:51, Michael Richardson wrote:
> >
> >
> > Paul Wouters wrote:
> >>> Because I share Paul's view that the PSKs we care about are generally
> >>> identical in both directions
> >>
> >> I agree here.
> >>
> >>> , and this use is primarily about
On Mon, 10 Dec 2018, Nico Williams wrote:
That is still missing OTP support :(
If you have the private keys locked unextractably in a hardware token
that requires a PIN to unlock, then you have two factors right there.
That's not generic two-factor authentication though, and it certainly
> On Dec 10, 2018, at 19:51, Michael Richardson wrote:
>
>
> Paul Wouters wrote:
>>> Because I share Paul's view that the PSKs we care about are generally
>>> identical in both directions
>>
>> I agree here.
>>
>>> , and this use is primarily about site-to-site
>>> inter-company VPNs.
Paul Wouters wrote:
> > Because I share Paul's view that the PSKs we care about are generally
> > identical in both directions
>
> I agree here.
>
> > , and this use is primarily about site-to-site
> > inter-company VPNs. This is note for road-warrier accesss.
>
> But not here. weak group
On Mon, Dec 10, 2018 at 06:47:25PM -0500, Paul Wouters wrote:
> On Mon, 10 Dec 2018, Nico Williams wrote:
>
> >There's no reason to not also add support for an augmented PAKE for road
> >warriors. It's true that road warriors are already well-supported via
> >PKIX user certificates
>
> That is
On Mon, 10 Dec 2018, Nico Williams wrote:
There's no reason to not also add support for an augmented PAKE for road
warriors. It's true that road warriors are already well-supported via
PKIX user certificates
That is still missing OTP support :(
, so perhaps there's no need, but it's very
On Mon, 10 Dec 2018, Michael Richardson wrote:
Why do you think balanced PAKE is more appropriate for us than augmented?
Because I share Paul's view that the PSKs we care about are generally
identical in both directions
I agree here.
, and this use is primarily about site-to-site
On Mon, Dec 10, 2018 at 06:00:18PM -0500, Michael Richardson wrote:
> Valery Smyslov wrote:
> > Why do you think balanced PAKE is more appropriate for us than augmented?
>
> Because I share Paul's view that the PSKs we care about are generally
> identical in both directions, and this use is
On Mon, Dec 10, 2018 at 11:22:46AM +0300, Valery Smyslov wrote:
> > I think we should ask the CFRG to pick a single balanced PAKE for us.
>
> Why do you think balanced PAKE is more appropriate for us than augmented?
Speaking for myself rather than Michael, I think augmented is more
appropriate
Valery Smyslov wrote:
> > I'm watching the video (in five minute intervals for unexplained
> > reasons... it seems like I've been watching this video for days).
> >
> > I want to +1 Dan: we need a balanced PAKE.
> >
> > I sincerely wish Tero was right: that there was no excuse not to use digital
Hi Michael,
> I'm watching the video (in five minute intervals for unexplained
> reasons... it seems like I've been watching this video for days).
>
> I want to +1 Dan: we need a balanced PAKE.
>
> I sincerely wish Tero was right: that there was no excuse not to use digital
> signatures for
Hi Nico,
> > I think we should ask the CFRG to pick a single balanced PAKE for us.
>
> They've done so!
Not so sure. In Bangkok the CFRG just decided to start the
process of selecting "one or more" (that after discussion
turned out into "zero or more") recommended PAKE(s).
Regards,
Valery.
Nico Williams wrote:
> > I'm watching the video (in five minute intervals for unexplained
> > reasons... it seems like I've been watching this video for days).
>
> Which video?
The video of ipsecme from IETF103.
--
] Never tell me the odds! | ipv6 mesh networks [
I'm watching the video (in five minute intervals for unexplained
reasons... it seems like I've been watching this video for days).
I want to +1 Dan: we need a balanced PAKE.
I sincerely wish Tero was right: that there was no excuse not to use digital
signatures for good site-to-site, even
26 matches
Mail list logo