A few points to some of the comments: 1) Thread devices are not typically smartphones and PCs. They are class 1 constrained devices according to RFC7228, i.e. thermostats and light switches etc. 2) Device certs. and short fingerprints are indeed used in similar systems to Thread (e.g. ZigBee IP) 3) There is an experimental version of TLS using EC-JPAKE. This will be written up in an informational RFC as stated 4) Typically the device requiring network access has a burned in passphrase which is entered into a local commissioning device, establishing a secured session and high entropy shared secret, which is subsequently used for delivering network parameters authorising network admission. Any PAKE would have done really however the decision was made to use EC-JPAKE. This method may not be appropriate in all scenarios but provides a common, simple interoperable mechanism for consumer devices.
Robert On 17 February 2016 at 06:52, Tony Arcieri <basc...@gmail.com> wrote: > On Tue, Feb 16, 2016 at 10:45 PM, Dan Harkins <dhark...@lounge.org> wrote: > >> What?!? How is that "better"? Having a "keychain" that loops in some >> vague "secure enclave" that makes authorization decisions based on some >> app deriving a "strong master secret from a weak password/pin" sounds >> complicated > > > Microsoft: > https://technet.microsoft.com/en-us/library/mt621546(v=vs.85).aspx > Matt Green: https://twitter.com/matthew_d_green/status/699777680728842240 > Apple: https://www.apple.com/business/docs/iOS_Security_Guide.pdf (see > also: Matt Green) > > Hardware interlocks around authentication allow various anti-brute force, > exponential backoff, and device wiping security measures. They also allow > you to unlock a "full entropy" cryptographic key with some low entropy > mechanism like a PIN without the former being deterministically derived > from the latter. > > I personally believe the future of authentication is having a weak > credential which unlocks a strong credential on something you have. This > approach to authentication is generally described as "something you have > and something you know" > > -- > Tony Arcieri >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
