[abfab] Comments on draft-linus-abfab-ephemeral-keying-00
"Jim Schaad" <ietf@augustcellars.com> Tue, 18 February 2014 19:15 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 953301A0150 for <abfab@ietfa.amsl.com>; Tue, 18 Feb 2014 11:15:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h5o85C57Cu_S for <abfab@ietfa.amsl.com>; Tue, 18 Feb 2014 11:15:03 -0800 (PST)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 80E731A03F6 for <abfab@ietf.org>; Tue, 18 Feb 2014 11:14:53 -0800 (PST)
Received: from Philemon (c-24-17-142-118.hsd1.wa.comcast.net [24.17.142.118]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 878122CA39; Tue, 18 Feb 2014 11:14:50 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: draft-linus-abfab-ephemeral-keying@tools.ietf.org
Date: Tue, 18 Feb 2014 11:13:09 -0800
Message-ID: <07af01cf2cdd$761361d0$623a2570$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_07B0_01CF2C9A.67F0BE10"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac8s2X9TP8oSuloLQG2zwaVvrAmrbw==
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/abfab/xkdW42fOD09PrXy-IbcW9-itLVk
Cc: abfab@ietf.org
Subject: [abfab] Comments on draft-linus-abfab-ephemeral-keying-00
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 19:15:06 -0000
Section 2. - I am not sure if you are trying to restrict to the conversation between the initiator and the acceptor based on the fact that you are throwing in RADIUS. There is no RADIUS spoken here. Section 2.1 - para #2 - The first sentence is just wrong. No matter what type of RADIUS you are using, intermediates always have access to the EAP MSK. The difference between RADIUS/UDP and RADIUS/TLS or RADIUS/DTLS is the question of how much passive intermediaries are going to be able to see based on the use of a long term shared secret. Section 2.2 - Passive observers may also be able to fingerprint the client based on TLS restart information. Section 2.3 - This should include exposing the realm of the user (or the full user name in bad implementations). You say [ maybe expand on how TEAP [draft-ietf-emu-eap-tunnel-method <http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method> ] could solve the problem of AAA proxies learning the MSK, impersonating the RP ] I would be very interested in seeing how you think there could possibly be a solution in this space. I can't see one. There probably needs to be a nod to using an application level tunnel as well. While I think that it might be nice to have this in the GSS-EAP layer, we cannot ignore this as an option. Jim
- [abfab] Comments on draft-linus-abfab-ephemeral-k… Jim Schaad
- Re: [abfab] Comments on draft-linus-abfab-ephemer… Linus Nordberg
- Re: [abfab] Comments on draft-linus-abfab-ephemer… Jim Schaad
- Re: [abfab] Comments on draft-linus-abfab-ephemer… Linus Nordberg