Hi David, On Tue, March 27, 2012 7:39 am, david.bl...@emc.com wrote: > Hi Dan, > > One process note: > >> It appears that all the PAKE drafts got one "yes" from the sponsoring >> AD and the remaining votes were "no objection" so it doesn't seem like >> the IESG is really interested in this topic and, frankly, I think the >> majority think "that stuff is out of my field of expertise". So my only >> option is to cajole an AD into sponsoring my draft and hoping that no >> one >> else on the IESG objects by saying, "didn't we just do this?" > > Speaking from long experience as a chair of many WGs, that sort of IESG > vote tally is typical, even for WG docs (although usually both of the > responsible Area ADs vote yes, as they're both "sponsoring"). IMHO, > you're being overly pessimistic. > >> So let me turn it around, what's wrong with "Specification Required"? > > While I know that you're competent to design a solid protocol, who does > the security review of the next 5 j-random authentication mechanisms to > make sure that they don't have security flaws? I'd prefer something like > IESG approval that puts the Security Area in the loop to the notion of > deferring to some form of Expert Review (this is not a slam against Tero > as the expert - wider review usually produces better results).
That's a really good point. Had it been "Specification Required" all along XAUTH might've gotten an official code point. And who knows maybe one of the j-random proposals might be just that. But IKEv1 really is pretty done. At this point I'm pretty sure that j would be zero. I know IKE's being used wrong and I know the people who are using it wrong don't want to go to IKEv2. They understand what they're doing is broken (a shared PSK for everyone followed by PAP in XAUTH) but they don't want to go to IKEv2 and use EAP to "fix" it, and it doesn't sound like going to IKEv2 with SPSK is much more attractive. I think we can make things better with a simple addition and I just want to be able to do that. regards, Dan. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec