[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: [Cfrg] Question regarding CFRG process
From: Trevor Perrin <trevp () trevp ! net>
Date: 2013-12-13 0:06:12
Message-ID: CAGZ8ZG0qnon4CYUh+2t201aioU1sHVQT9_8CMoez_5yM=N-cCA () mail ! gmail ! com
[Download RAW message or body]
Dear CFRG (cc: TLS, SAAG),
I'd like to understand how the CFRG decides on guidance to provide IETF WGs.
It appears the CFRG chairs provide this guidance based on their own
opinions, disregarding any feedback from the mailing list or IETF
meetings.
In particular, the CFRG chairs have repeatedly endorsed the
"Dragonfly" protocol to the TLS WG. However, I find no evidence of
*ANY* positive feedback regarding Dragonfly in the CFRG mailing list
or meeting minutes, except from the draft's author and CFRG co-chair
Kevin Igoe.
Compared to Kevin's enthusiasm, note:
* Respected cryptographers and security engineers like Jonathan Katz,
Adam Back, and Rene Struik expressed skepticism on the list
* The single in-depth discussion at an IETF meeting was a string of complaints
* Alternative proposals were made to CFRG (J-PAKE, AugPAKE).
Could the chairs please clarify how they decided to endorse Dragonfly to TLS WG?
Below is a summary of all CFRG discussion of Dragonfly.
=====
Feb 2008
- Dan Harkins proposes early Dragonfly to CFRG
http://www.ietf.org/mail-archive/web/cfrg/current/msg02205.html
- Scott Fluhrer breaks it
http://www.ietf.org/mail-archive/web/cfrg/current/msg02206.html
...
Nov 2011
- David McGrew appoints Kevin Igoe as CFRG co-chair
http://www.ietf.org/mail-archive/web/cfrg/current/msg03026.html
Dec 2011
- Dan Harkins asks CFRG to look at TLS-PWD, based on Dragonfly
http://www.ietf.org/mail-archive/web/cfrg/current/msg03044.html
- Scott Fluhrer points out a problem
http://www.ietf.org/mail-archive/web/cfrg/current/msg03045.html
- Adam Back questions necessity of it, and lack of security
analysis
http://www.ietf.org/mail-archive/web/cfrg/current/msg03046.html
Jan 2012
- Kevin Igoe's first email to CFRG:
"I really like this idea & can find no problems."
http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html
- Jonathan Katz questions lack of security analysis, points out
problems
http://www.ietf.org/mail-archive/web/cfrg/current/msg03052.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03053.html
March 2012
- At IETF 83 CFRG meeting, concerns are raised about:
- SPEKE patents
- necessity of a new scheme
- timing attacks
- non-augmented properties
http://www.ietf.org/proceedings/83/minutes/minutes-83-cfrg.txt
May 2012
- Kevin Igoe points out a limitation due to "hunting-and-pecking"
http://www.ietf.org/mail-archive/web/cfrg/current/msg03099.html
- Zhou Sujing and Dan have an exchange that's hard to follow.
http://www.ietf.org/mail-archive/web/cfrg/current/msg03115.html
July 2012
- At IETF 84 TLS meeting (CFRG does not meet):
- Kevin Igoe informs TLS WG, as the CFRG chair:
"We approve of it, very clear and usable for general setting."
http://www.ietf.org/proceedings/84/minutes/minutes-84-tls
Oct 2012
- Kevin Igoe calls CFRG attention to Dragonfly draft-00
http://www.ietf.org/mail-archive/web/cfrg/current/msg03214.html
- Jonathan Katz asks for a security proof - there is none
http://www.ietf.org/mail-archive/web/cfrg/current/msg03215.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03216.html
Dec 2012
- Kevin Igoe calls CFRG attention to Dragonfly
- raises timing attack issue, proposes 2 fixes, including
rediscovery of Dan's original broken method (2008)
http://www.ietf.org/mail-archive/web/cfrg/current/msg03258.html
- Rene Struik points out the error in Kevin's proposal, and
the inefficiency of Dragonfly relative to SPEKE
http://www.ietf.org/mail-archive/web/cfrg/current/msg03259.html
- Scott Fluhrer points out the error in Kevin's proposal, and
proposes a flawed "mostly constant time" fix. Dan and Kevin
embrace it.
http://www.ietf.org/mail-archive/web/cfrg/current/msg03260.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03262.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03263.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03264.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03265.html
Feb 2013
- draft-01 is uploaded with flawed sidechannel fix
- also quietly fixes security issue reported by Dylan Clarke
and Feng Hao
http://www.ietf.org/mail-archive/web/cfrg/current/msg03309.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03529.html
Apr 2013
- Kevin Igoe mentions a last call for Dragonfly
"The design looks mature, it addresses a real need, and no one
has raised any issues."
http://www.ietf.org/mail-archive/web/cfrg/current/msg03383.html
May 2013
- Feng Hao asks CFRG to consider J-PAKE (an alternative)
http://www.ietf.org/mail-archive/web/cfrg/current/msg03430.html
July 2013
- Rene Struik points out spec bugs, raises timing attack issue
again
http://www.ietf.org/mail-archive/web/cfrg/current/msg03486.html
http://www.ietf.org/mail-archive/web/cfrg/current/msg03489.html
- IETF 87, CFRG meeting:
- "The author is working on a new (and hopefully final) draft"
http://www.ietf.org/proceedings/87/minutes/minutes-87-cfrg
Aug 2013
- draft-02 is uploaded with modifications to "hunting-and-pecking"
http://www.ietf.org/mail-archive/web/cfrg/current/msg03509.html
Sep 2013
- SeongHan Shin asks CFRG to consider AugPAKE (an alternative)
http://www.ietf.org/mail-archive/web/cfrg/current/msg03523.html
Nov/Dec 2013
- Joe Saloway begins TLS-PWD last call, and informs TLS WG that:
"The underlying cryptographic protocol for TLS-PWD has been
reviewed by the IRTF CFRG group with satisfactory results."
http://www.ietf.org/mail-archive/web/tls/current/msg10476.html
- Uproar on TLS WG:
- Many object to lack of formal security analysis:
Douglas Stebila, Uri Blumenthal, Bodo Moeller, Rene Struik,
Watson Ladd
- Many point out better alternatives:
SeongHan Shin, Robert Ransom, Watson Ladd, Trevor Perrin
- Security flaws are pointed out by Bodo Moeller and
CodesInChaos
http://www.ietf.org/mail-archive/web/tls/current/msg10708.html
http://www.ietf.org/mail-archive/web/tls/current/msg10768.html
- Rene Struik and Bodo Moeller dispute that CFRG approved this
http://www.ietf.org/mail-archive/web/tls/current/msg10769.html
http://www.ietf.org/mail-archive/web/tls/current/msg10812.html
- Eric Rescorla (TLS WG chair) states:
"we did have a verbal report back from the chair of the CFRG
that they considered it satisfactory"
http://www.ietf.org/mail-archive/web/tls/current/msg10819.html
Trevor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic