IETF Logo Mail Archive

Re: [Emu] server unauthenticated provisioning mode

Glen Zorn <glenzorn@gmail.com> Sat, 27 August 2011 05:20 UTC

Return-Path: <glenzorn@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 787B621F8A97 for <emu@ietfa.amsl.com>; Fri, 26 Aug 2011 22:20:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtk4yHU6bzhb for <emu@ietfa.amsl.com>; Fri, 26 Aug 2011 22:20:25 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id DBCDC21F8A67 for <emu@ietf.org>; Fri, 26 Aug 2011 22:20:24 -0700 (PDT)
Received: by yie12 with SMTP id 12so2538539yie.31 for <emu@ietf.org>; Fri, 26 Aug 2011 22:21:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=8FR48bEq3j7Htm9+LlhM9VQZ330tD8oDilvpMHglugw=; b=msFchnT7zEOyQpuM0pkdomND4gUsdA8Kc7xyykAMbc5mzviFptWFo87tzl4Aj9NZjs M2rU12FUdV5JVtbabHgzus9bwSwIolo/NSgUMsXhnZ1N3i88AFXZXJqMKe/sGjFB5XoD 8RbyllmtipNhM5A4yhbFR0cR/BEbdPV581jBc=
Received: by 10.101.26.3 with SMTP id d3mr1821619anj.105.1314422501580; Fri, 26 Aug 2011 22:21:41 -0700 (PDT)
Received: from [192.168.1.98] (ppp-115-87-77-81.revip4.asianet.co.th [115.87.77.81]) by mx.google.com with ESMTPS id d33sm2289464ano.35.2011.08.26.22.21.36 (version=SSLv3 cipher=OTHER); Fri, 26 Aug 2011 22:21:40 -0700 (PDT)
Message-ID: <4E587EDC.6000601@gmail.com>
Date: Sat, 27 Aug 2011 12:21:32 +0700
From: Glen Zorn <glenzorn@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <903fd07b1005de677ae850769bc0d9ba.squirrel@www.trepanning.net> <tslvctm8vu7.fsf@mit.edu> <aec7a052a6bdefd7dbd6651e4979fbd3.squirrel@www.trepanning.net> <tslippm8s7s.fsf@mit.edu> <6b23533ec43dc5c694d925e9302d721d.squirrel@www.trepanning.net> <tsl39gq8hr3.fsf@mit.edu> <4b9c28e27e7a32813d553f4ab78091cb.squirrel@www.trepanning.net> <tslobzd5wsi.fsf@mit.edu> <04f60572044e1534aaa136093e77f0f4.squirrel@www.trepanning.net> <4E572FD4.4040704@gmail.com> <7512996bb3562a81db9cb1d4a7fb5998.squirrel@www.trepanning.net> <4E573CDB.1080006@gmail.com> <9139533370ecd95c12b385c2610bdfb2.squirrel@www.trepanning.net>
In-Reply-To: <9139533370ecd95c12b385c2610bdfb2.squirrel@www.trepanning.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Sam Hartman <hartmans-ietf@mit.edu>, emu@ietf.org
Subject: Re: [Emu] server unauthenticated provisioning mode
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Aug 2011 05:20:25 -0000

On 8/26/2011 10:56 PM, Dan Harkins wrote:

...

>>>>>   I completely missed that. Sorry. But if the IETF standardized a
>>>>> wholly inappropriate protocol like MSCHAPv2 (it doesn't even generate
>>>>> a
>>>>> shared key)
>>>>
>>>> Please check your sources & refrain from spouting nonsense; if EAP-pwd
>>>> is really so wonderful you shouldn't need to disparage other work, it
>>>> should stand on its own merit.
>>>
>>>   I stand corrected. That must be why draft-zorn-emu-team proposed using
>>> MSCHAPv2. Oh wait, it didn't. It proposed using EAP-pwd.
>>
>> & this has a relation to your misrepresentation  how?
> 
>   It doesn't really, it was a reference to your implication that EAP-pwd
> cannot stand on its own merit, and requires the disparagement of other
> work to prop it up. Which I think we can both agree is not the case.

Actually, Dan, I implied (or intended to imply) no such thing.  My point
was that making demonstrably false claims about other protocols doesn't
strengthen your case but only weakens it, making it appear that EAP-pwd
cannot stand on its own merits.  MS-CHAPv2 was not specifically _not_
standardized by the IETF, the protocol was documented in a purely
informational document ("This memo provides information for the Internet
community. It does not specify an Internet standard of any kind.").
While the ubiquity of Windows undoubtedly had an influence on its
adoption, the main reason IMHO was that it solved a real problem which
was widely disparaged within the IETF as either nonexistent or
inappropriate (i.e., "if you would just change everything you do the way
we told you to, that problem wouldn't exist").

> 
>   Anyway, yes I misrepresented MSCHAPv2. It does produce a key. I was
> wrong.
> 
>   But I still think the statement that MSCHAPv2 is inappropriate for
> doing server unauthenticated provisioning mode is valid even with a
> secret key output by MSCHAPv2. I hope we can both agree on that too.

I am inclined to think that resistance to attack is a valuable thing in
this case; EAP-pwd is demonstrably less susceptible to a variety of
attacks than MS-CHAPv2 (or for that matter, EAP-GPSK).  Furthermore, I
think that constraining the choice of a MTI type on the basis of a
single academic project (instead of security) is basically unconscionable.

v2.23.0 | Report a Bug | By Email