Cryptology ePrint Archive: Report 2021/839

Prudent Practices in Security Standardization

Feng Hao

Abstract: From June 2019 to March 2020, IETF conducted a selection process to choose password authenticated key exchange (PAKE) protocols for standardization. Similar standardization efforts were conducted before by IEEE (P1362.2) and ISO/IEC (11770-4). An important hallmark for this IETF selection process is its openness: anyone can nominate any candidate; all reviews are public; all email discussions on the IETF mailing lists are archived and publicly readable. However, despite the openness, it is unclear whether this IETF selection process has presented a successful model. Several important questions that were raised during the selection process had remained unaddressed even after the two winners (CPace and OPAQUE) were announced. We reflect on the IETF PAKE selection process as a case study, and summarize lessons in a set of principles with the hope to improve security standardization in the future.

Category / Keywords: cryptographic protocols / IETF, PAKE, aPAKE

Date: received 20 Jun 2021

Contact author: haofeng66 at gmail com

Available format(s): PDF | BibTeX Citation

Note: To appear in IEEE Communications Standards Magazine

Version: 20210621:080031 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]