Re: [TLS] Straw poll on TLS SRP status

To: Tom Wu <tjw at CS.Stanford.EDU>
Subject: Re: [TLS] Straw poll on TLS SRP status
From: Yoav Nir <ynir at checkpoint.com>
Date: Tue, 29 May 2007 13:59:38 +0300
Cc: tls at ietf.org
In-reply-to: <Pine.LNX.4.64.0705271532060.12270@xenon.Stanford.EDU>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <Pine.LNX.4.64.0705271532060.12270@xenon.Stanford.EDU>

Note that I am not against SRP at all. Although the EAP-SRP effort seems to have been abandoned, it still has method type number 19 in IANA.

I think SRP should not be a stand-alone extension, but rather that it should be introduced as part of EAP.

The choice is between separate extensions for SRP and for each authentication method, or to introduce them all at once under EAP, as was done in IKEv2.

On May 28, 2007, at 1:40 AM, Tom Wu wrote:

I really think you should give the user the choice between IPR- laden methods (such as EAP-SRP) and IPR-free methods such as EAP-MD5.


As you indicate, your bias affects how you frame the issue and what
premises you accept.  In actuality, your point is ironically a good
one in favor of making TLS-SRP Proposed, precisely because it's a good
thing to have a choice between a strong password solution (TLS-SRP)
and a weaker one (EAP-MD5?) in TLS.

And given that SRP's licensing terms have made it the most widespread
of the various strong password techniques, it's the only viable
candidate for Proposed status, if you believe that it is to the
benefit of the greater good to have a strong (against passive and
active dictionary attack), well-tested, and standardized mechanism
for password authentication over TLS.  Then let the market decide.

Tom
--
Tom Wu
http://www-cs-students.stanford.edu/~tjw/

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Straw poll on TLS SRP status
  - From: Peter Gutmann

References:
- Re: [TLS] Straw poll on TLS SRP status
  - From: Tom Wu

Prev by Date: [TLS] Re: Comments on draft-housley-tls-authz-extns-07
Next by Date: Re: [TLS] Straw poll on TLS SRP status
Previous by thread: Re: [TLS] Straw poll on TLS SRP status
Next by thread: Re: [TLS] Straw poll on TLS SRP status
Index(es):
- Date
- Thread

Re: [TLS] Straw poll on TLS SRP status

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.