Paper 2021/839

Prudent Practices in Security Standardization

Feng Hao

Abstract

From June 2019 to March 2020, IETF conducted a selection process to choose password authenticated key exchange (PAKE) protocols for standardization. Similar standardization efforts were conducted before by IEEE (P1362.2) and ISO/IEC (11770-4). An important hallmark for this IETF selection process is its openness: anyone can nominate any candidate; all reviews are public; all email discussions on the IETF mailing lists are archived and publicly readable. However, despite the openness, it is unclear whether this IETF selection process has presented a successful model. Several important questions that were raised during the selection process had remained unaddressed even after the two winners (CPace and OPAQUE) were announced. We reflect on the IETF PAKE selection process as a case study, and summarize lessons in a set of principles with the hope to improve security standardization in the future.

Note: To appear in IEEE Communications Standards Magazine

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
IETFPAKEaPAKE
Contact author(s)
haofeng66 @ gmail com
History
2021-06-21: received
Short URL
https://ia.cr/2021/839
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/839,
      author = {Feng Hao},
      title = {Prudent Practices in Security Standardization},
      howpublished = {Cryptology ePrint Archive, Paper 2021/839},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/839}},
      url = {https://eprint.iacr.org/2021/839}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.