ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [IPsec] Last Call: <draft-kivinen-ipsecme-secure-password-framework-01.txt> (Secure Password Framework for IKEv2) to Informational RFC

2011-07-27 17:31:31
from [Yoav Nir] [Permanent Link] 
I think this is a terrible idea. 

IKEv2 has a way for mutual authentication with a shared key.

A concern was raised that this method was vulnerable to guessing if trivial 
shared keys were configured.

There were several proposals for a better cryptographic method.

The IPsecME working group failed to choose between them. This is not so 
surprising, because most participants are engineers, not cryptographers. Even 
those with some cryptographic background stayed silent because choosing between 
several cryptographic protocols is hard. IETF last calls and the IESG did not 
help much either.

This draft represents a total shirking of our responsibility. Rather than 
decide on one protocol that is "best" or even arbitrarily choosing one that is 
"good enough", it proposes to build a framework so that everyone and their dog 
can have their own method. This is a nightmare for developers: since you can't 
know what method the peer will support, you have to implement all of them. 

If this had been a hierarchical organization, some manager would decide which 
of the methods gets developed (or published) and the others would be relegated 
to the recycle bin.

The IETF is not like that and we seek to reach consensus. That's a good thing, 
but this time it's leading us to a really bad solution for interoperability, 
and a really bad solution for implementers. 

I am opposed to this draft.

Yoav

On Jul 27, 2011, at 12:44 PM, The IESG wrote:



The IESG has received a request from an individual submitter to consider
the following document:
- 'Secure Password Framework for IKEv2'
 <draft-kivinen-ipsecme-secure-password-framework-01.txt> as an
Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2011-08-24. Exceptionally, comments 
may be
sent to iesg(_at_)ietf(_dot_)org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document creates a generic way for Internet Key Exchange (IKEv2)
  to use any of the symmetric secure password authentication methods.
  There are multiple methods already specified in other documents and
  this document does not add new one.  This document specifies a common
  way so those methods can agree on which method is to be used in
  current connection.  This document also provides a common way to
  transmit secure password authentication method specific payloads
  between peers.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-secure-password-framework/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-secure-password-framework/


No IPR declarations have been submitted directly on this I-D.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Reminder: Remote Participation Support for Admin Plenary Tonight, SM
Next by Date:  Re: Why the IESG needs to review everything..., Dave CROCKER
Previous by Thread:  Why the IESG needs to review everything..., Brian E Carpenter
Next by Thread:  Re: [IPsec] Last Call: <draft-kivinen-ipsecme-secure-password-framework-01.txt> (Secure Password Framework for IKEv2) to Informational RFC, Paul Hoffman
Indexes:  [Date] [Thread] [Top] [All Lists]