On Mar 22, 2010, at 11:18 AM, <black_da...@emc.com> <black_da...@emc.com> wrote:
> Summarizing what I said in the meeting: > > (1) The performance criteria should include performance with large complex > secrets (e.g., pre-shared keys), not just the smaller passwords that people > can reasonably be expected to remember. > > This is because a password-based authentication mechanism may be usefully > applied to shared secret authentication implementations that derive a > supposedly strong secret solely from a password (see the discussion of > pre-shared key authentication in Section 2.15 of RFC 4306). Password-based > authentication would provides some defense against this and other key > generation weaknesses. The original password that was used to generate the > shared secret may no longer be available, so good performance on large > complex secrets would enable password based authentication to use the derived > (supposedly strong) secret as the password. IKE already has PSK-based authentication. If my "password" is 9975612f178b31164bef5bb672cbeb1db6437d6459ff1d8a17f12ec73fcd5c92, then I don't need any new-fangled mode, because the authentication described in section 2.15 of RFC 4306 is good enough. The new mode we're looking for is for giving a little security for people who use the password "yoav71", thinking that nobody would ever guess it. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
