Re: [TLS] Straw poll on TLS SRP status

To: Yoav Nir <ynir at checkpoint.com>
Subject: Re: [TLS] Straw poll on TLS SRP status
From: Tom Wu <tjw at CS.Stanford.EDU>
Date: Mon, 4 Jun 2007 23:38:39 -0700 (PDT)
Cc: tls at ietf.org
In-reply-to: <E1B91088-F7A6-42BB-8BE9-13D2ED28687B@checkpoint.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <Pine.LNX.4.64.0706020003480.16941@xenon.Stanford.EDU> <B46303E3-889F-475C-BA31-6571713EFA04@checkpoint.com> <Pine.LNX.4.64.0706041543570.21279@xenon.Stanford.EDU> <E1B91088-F7A6-42BB-8BE9-13D2ED28687B@checkpoint.com>

On Tue, 5 Jun 2007, Yoav Nir wrote:

However, Martin is right, in that the incentive works. ECC has been slowed down significantly by Certicom's patent claims, both in standards and in implementations. This has finally made Certicom issue a royalty-free license for use of ECC in IKE and TLS.


Yup, and Stanford has issued a royalty-free license for SRP.  The only
remaining message to send is to competitors trying to do a denial-of-
service against it.  Making SRP-TLS Proposed would send the message
that this DoS attack doesn't work against the IETF, discouraging
"patent race" behavior.

Strictly speaking, there is a specific protocol. The EAP-SRP draft is expired, but still available (maybe someone should pick up this effort) http://tools.ietf.org/id/draft-ietf-pppext-eap-srp-03.txt and the EAP-in-TLS draft is still current (though we are going to publish a newer version soon) http://www.ietf.org/internet-drafts/draft-nir-tee-pm-00.txt

I agree, though, that this hasn't had the security analysis that was given to SRP-TLS.

I really have two concerns with SRP-TLS: 1. It's usually not a good idea to provide two ways of doing the same thing. In this case, if the TLS library maker should support both EAP-SRP and SRP-TLS that complicates the security analysis of the library. The websites would probably want to support both.


I don't think the "complicates the security analysis" point is valid -
it is no more complicated than a TLS library that supports both client
certs and, say, PSK.  And as you point out yourself, there would be
many differences between the two that would make one or the other
preferable for a given server to support, so they're really not doing
the same thing.  In this case, there would be a clear tradeoff between
the advantages you cite for EAP versus the roundtrip, performance, and
possible security advantages of SRP-TLS.

Tom
--
Tom Wu
http://www-cs-students.stanford.edu/~tjw/

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Straw poll on TLS SRP status
  - From: Tom Wu
- Re: [TLS] Straw poll on TLS SRP status
  - From: Yoav Nir
- Re: [TLS] Straw poll on TLS SRP status
  - From: Tom Wu
- Re: [TLS] Straw poll on TLS SRP status
  - From: Yoav Nir

Prev by Date: Re: [TLS] Straw poll on TLS SRP status
Next by Date: Re: [TLS] Issue 30: Reject RSA public exponent 1
Previous by thread: Re: [TLS] Straw poll on TLS SRP status
Next by thread: Re: [TLS] Straw poll on TLS SRP status
Index(es):
- Date
- Thread

Re: [TLS] Straw poll on TLS SRP status

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.