Hi David,
I think both of these are (correct) requirements, rather than criteria.
None of the algorithms I've seen care whether it's a 6-char ASCII
password, or 512 truly-random bits. None of them say anything about
management (with the possible exception of the "augmented" algorithms
where the "augmentation" has some bearing on management).
Regarding management, -01 says this, which I think is in line with what
you're saying:
It is noted that some features (such as support for password expiry)
and some security criteria (such as resistance to server compromise)
are very important for the "teleworker" use case. This document is
limited to the use of password-based authentication to achieve trust
between gateways, and for this use case, these features and criteria
are of questionable value.
Thanks,
Yaron
On 22.3.2010 20:18, black_da...@emc.com wrote:
Summarizing what I said in the meeting:
(1) The performance criteria should include performance with large complex
secrets (e.g., pre-shared keys), not just the smaller passwords that people can
reasonably be expected to remember.
This is because a password-based authentication mechanism may be usefully
applied to shared secret authentication implementations that derive a
supposedly strong secret solely from a password (see the discussion of
pre-shared key authentication in Section 2.15 of RFC 4306). Password-based
authentication would provides some defense against this and other key
generation weaknesses. The original password that was used to generate the
shared secret may no longer be available, so good performance on large complex
secrets would enable password based authentication to use the derived
(supposedly strong) secret as the password.
(2) Management (e.g., password change, password policy) is not mentioned in the
criteria document. This is good.
Keeping management orthogonal (i.e., out of scope of this criteria discussion)
is (IMHO) a good thing, as management techniques and requirements may vary
widely across classes of implementations.
Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA 01748
+1 (508) 293-7953 FAX: +1 (508) 293-7786
black_da...@emc.com Mobile: +1 (978) 394-7754
----------------------------------------------------
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
