ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Protocol Action: 'Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)' to Proposed Standard

2005-06-28 05:12:14
from [Francis Dupont] [Permanent Link] 

 In your previous mail you wrote:

   At 5:02 PM +0200 6/27/05, Francis Dupont wrote:
   >pre-shared secrets
   >are known to be weaker than certificates
   
   That statement is false for many common uses of preshared secrets and 
   certificates. A preshared secret with even 80 bits of randomness is 
   stronger than most certificates used for authentication today. (See 
   RFC 3766 for the math behind this.)
   
=> my argument was not about key length but about the mechanisms
(i.e., computer science, not mathematics). Pre-shared secrets are
by definition at two places: this is enough to make the mechanism
weaker than asymmetric crypto. I can develop about the problem
to communicate the shared secret but in fact what I'd like to mean
is that pre-shared secrets are for good and less good reasons
perceived as weaker than certificates so the document in last call
can be preceived as a security regression.

   >  I remember a similar discussion about IKEv2 but in this case pre-shared
   >secrets were kept for compatibility...
   
   This is also false. The archives of the IPsec Working Group show that 
   there were many other reasons for supporting preshared secrets, 
   including many administrative scenarios.
   
=> I should be more accurate but my purpose was to launch a short discussion:
the compatibility was not a technical one but an operational one.
To summary my feeling is that IKEv1 is deployed at 90% with pre-shared
secrets and IKEv2 had to support them in order to be sold to current
IKEv1 administrators.

BTW there are other good examples where both mechanisms can be used
with a "public opinion advantage" for the asymmetric crypto one.
TKEY (RFC 2930) and SIG(0) (RFC 2931) is the first example which crosses
my mind.

   The two authentication mechanisms have quite different properties and 
   each is appropriate in many settings. Saying one or the other is 
   "known to be weaker" without examining the context, particularly on a 
   general-purpose mailing list, will not help increase the security of 
   the Internet.
   
=> I am not (yet) convinced that to accept the document will help
to decrease the security of the Internet but clearly I'd like to be
reassured/comforted and I am afraid your arguments have not worked...

Regards

Francis(_dot_)Dupont(_at_)enst-bretagne(_dot_)fr

PS: for instance I'd like to understand why self-signed certificates
were rejected, cf section 1.1 "Applicability statement". This is the
second part of my concern: is the domain of application large enough?

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Proper behaviour towards irritating persons (RE: I'm not going to listen...), grenville armitage
Next by Date:  Re: RFC 2434 term "IESG approval" (Re: IANA Action: Assignment of an IPV6 Hop-by-hop Option), Harald Tveit Alvestrand
Previous by Thread:  Re: Protocol Action: 'Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)' to Proposed Standard, Paul Hoffman
Next by Thread:  Re: Last Call: 'Required functions of User Interface for the Internet X.509 Public Key Infrastructure' to Informational RFC, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]