In your previous mail you wrote:
At 5:02 PM +0200 6/27/05, Francis Dupont wrote:
>are known to be weaker than certificates
That statement is false for many common uses of preshared secrets and
certificates. A preshared secret with even 80 bits of randomness is
stronger than most certificates used for authentication today. (See
RFC 3766 for the math behind this.)
=> my argument was not about key length but about the mechanisms
(i.e., computer science, not mathematics). Pre-shared secrets are
by definition at two places: this is enough to make the mechanism
weaker than asymmetric crypto. I can develop about the problem
to communicate the shared secret but in fact what I'd like to mean
is that pre-shared secrets are for good and less good reasons
perceived as weaker than certificates so the document in last call
can be preceived as a security regression.
> I remember a similar discussion about IKEv2 but in this case pre-shared
>secrets were kept for compatibility...
This is also false. The archives of the IPsec Working Group show that
there were many other reasons for supporting preshared secrets,
including many administrative scenarios.
=> I should be more accurate but my purpose was to launch a short discussion:
the compatibility was not a technical one but an operational one.
To summary my feeling is that IKEv1 is deployed at 90% with pre-shared
secrets and IKEv2 had to support them in order to be sold to current
BTW there are other good examples where both mechanisms can be used
with a "public opinion advantage" for the asymmetric crypto one.
TKEY (RFC 2930) and SIG(0) (RFC 2931) is the first example which crosses
The two authentication mechanisms have quite different properties and
each is appropriate in many settings. Saying one or the other is
"known to be weaker" without examining the context, particularly on a
general-purpose mailing list, will not help increase the security of
=> I am not (yet) convinced that to accept the document will help
to decrease the security of the Internet but clearly I'd like to be
reassured/comforted and I am afraid your arguments have not worked...
PS: for instance I'd like to understand why self-signed certificates
were rejected, cf section 1.1 "Applicability statement". This is the
second part of my concern: is the domain of application large enough?
Ietf mailing list