IETF Logo Mail Archive

Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04

"Hoeper Katrin-QWKN37" <khoeper@motorola.com> Wed, 03 March 2010 22:33 UTC

Return-Path: <khoeper@motorola.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E09A28C16F for <emu@core3.amsl.com>; Wed, 3 Mar 2010 14:33:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.54
X-Spam-Level:
X-Spam-Status: No, score=-6.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n31gaVQCWb2Z for <emu@core3.amsl.com>; Wed, 3 Mar 2010 14:33:29 -0800 (PST)
Received: from mail119.messagelabs.com (mail119.messagelabs.com [216.82.241.195]) by core3.amsl.com (Postfix) with ESMTP id 0636128C182 for <emu@ietf.org>; Wed, 3 Mar 2010 14:33:28 -0800 (PST)
X-VirusChecked: Checked
X-Env-Sender: khoeper@motorola.com
X-Msg-Ref: server-4.tower-119.messagelabs.com!1267655609!41624785!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [136.182.1.14]
Received: (qmail 3609 invoked from network); 3 Mar 2010 22:33:29 -0000
Received: from motgate4.mot.com (HELO motgate4.mot.com) (136.182.1.14) by server-4.tower-119.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 3 Mar 2010 22:33:29 -0000
Received: from il27exr03.cig.mot.com (il27exr03.mot.com [10.17.196.72]) by motgate4.mot.com (8.14.3/8.14.3) with ESMTP id o23MXTYb006527 for <emu@ietf.org>; Wed, 3 Mar 2010 15:33:29 -0700 (MST)
Received: from il27vts01 (il27vts01.cig.mot.com [10.17.196.85]) by il27exr03.cig.mot.com (8.13.1/Vontu) with SMTP id o23MXRtS000711 for <emu@ietf.org>; Wed, 3 Mar 2010 16:33:27 -0600 (CST)
Received: from de01exm68.ds.mot.com (de01exm68.am.mot.com [10.176.8.24]) by il27exr03.cig.mot.com (8.13.1/8.13.0) with ESMTP id o23MXQQl000672 for <emu@ietf.org>; Wed, 3 Mar 2010 16:33:26 -0600 (CST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 03 Mar 2010 17:33:04 -0500
Message-ID: <3A241A6B234BE948B8B474D261FEBC2F07295724@de01exm68.ds.mot.com>
In-Reply-To: <3A241A6B234BE948B8B474D261FEBC2F0729571A@de01exm68.ds.mot.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Emu] review of draft-ietf-emu-eaptunnel-req-04
Thread-Index: Acq7HthPj9A0Y7MmRVaYvtkOruoISQAAdHnQAAAgNMA=
References: <70e5fb878f73a83d4ba7702e4dc46132.squirrel@www.trepanning.net><AC1CFD94F59A264488DC2BEC3E890DE509BD34A6@xmb-sjc-225.amer.cisco.com><3A241A6B234BE948B8B474D261FEBC2F07239D21@de01exm68.ds.mot.com><a244565651e7f03494eda680a4ae636b.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729536E@de01exm68.ds.mot.com><30a512425eb4f0e1140dca0cc92eea30.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729555F@de01exm68.ds.mot.com><f78c0ed514c29c3e3cadd46d28731eb5.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729562D@de01exm68.ds.mot.com><61dde562d3f969274cb5cb5aabafa68b.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F072956BA@de01exm68.ds.mot.com><6735e38c9874524655a4bbe39ffaab5b.squirrel@www.trepanning.net> <3A241A6B234BE948B8B474D261FEBC2F0729571A@de01exm68.ds.mot.com>
From: Hoeper Katrin-QWKN37 <khoeper@motorola.com>
To: Hoeper Katrin-QWKN37 <khoeper@motorola.com>, Dan Harkins <dharkins@lounge.org>
X-CFilter-Loop: Reflected
Cc: emu@ietf.org
Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 22:33:30 -0000

Sorry Dan,

Is EAP-pwd using the password for mutual authentication? 

> -----Original Message-----
> From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf Of
> Hoeper Katrin-QWKN37
> Sent: Wednesday, March 03, 2010 4:28 PM
> To: Dan Harkins
> Cc: emu@ietf.org
> Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> 
> How does that authenticate the server if a user enters a password?
> 
> If the server says, yes that was the right password?
> 
> 
> 
> > -----Original Message-----
> > From: Dan Harkins [mailto:dharkins@lounge.org]
> > Sent: Wednesday, March 03, 2010 4:14 PM
> > To: Hoeper Katrin-QWKN37
> > Cc: Dan Harkins; Joseph Salowey; emu@ietf.org
> > Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> >
> >
> >   Since they both use the same low-entropy password to perform their
> > mutual authentication it is not, strictly speaking, just the peer's
> > credential.
> >
> >   Dan.
> >
> > On Wed, March 3, 2010 1:45 pm, Hoeper Katrin-QWKN37 wrote:
> > >
> > > See inline.
> > >> -----Original Message-----
> > >> From: Dan Harkins [mailto:dharkins@lounge.org]
> > >> Sent: Wednesday, March 03, 2010 3:39 PM
> > >> To: Hoeper Katrin-QWKN37
> > >> Cc: Dan Harkins; Joseph Salowey; emu@ietf.org
> > >> Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> > >>
> > >>
> > >>   Hi Katrin,
> > >>
> > >> On Wed, March 3, 2010 12:31 pm, Hoeper Katrin-QWKN37 wrote:
> > >> > Dan,
> > >> >
> > >> > OK, I understand that the tunnel provides all these other
feats.
> > >> >
> > >> > But why can't the server authenticate during the tunnel
protocol?
> I
> > >> > still don't understand the use case for mutually anonymous
> tunnels.
> > >>
> > >>   Because it doesn't have the right credential.
> > >>
> > >> > If the server has a certificate why can't it send it to the
peer
> > > before
> > >> > or during the tunnel establishment?
> > >>
> > >>   If the server has a certificate then sending it to the peer
> > >> would not really solve any problem. The peer would still need to
> > >> have a reason to trust it and we're back to the problem of
putting
> > >> a trusted certificate in some certificate store. A global PKI to
> > >> solve all of our certificate issues still has not materialized.
> > >>
> > >> > If the peer and server share a secret, than this could be used
to
> > >> > establish the tunnel.
> > >>
> > >>   If the peer and server share a secret they could use one of the
> PSK
> > >> ciphersuites for TLS but those are susceptible to a dictionary
> attack
> > >> and are therefore inappropriate.
> > >>
> > >>   The tunnel is being established with EAP-TLS so we are limited
to
> > >> TLS ciphersuites and the authentication they provide. If a TLS
> > > ciphersuite
> > >> was appropriate always and everywhere then we would not need any
> other
> > >> EAP methods, we'd just do EAP-TLS. But that is not the case. Also
> it
> > > is
> > >> a requirement to tunnel additional EAP methods inside the tunnel
so
> > >> obviously there are EAP methods that provide something that a TLS
> > >> ciphersuite does not.
> > >>
> > >> > What I am saying is what kind of server authentication
> credentials
> > > could
> > >> > be used inside an anonymous tunnel that could not be used to
> > >> > authenticate the server in the tunnel protocol? (given that
> privacy
> > > is
> > >> > not the issue)
> > >>
> > >>   A low-entropy password that can easily be remembered and
entered
> by
> > > a
> > >> human with low probability of error.
> > > [KH] I asked what kind of SERVER credentials not peer credentials.
> > >>
> > >>   Dan.
> > >>
> > >
> > >
> >
> 
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email