IETF Logo Mail Archive

Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04

"Hoeper Katrin-QWKN37" <khoeper@motorola.com> Wed, 03 March 2010 22:28 UTC

Return-Path: <khoeper@motorola.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD57928C3C4 for <emu@core3.amsl.com>; Wed, 3 Mar 2010 14:28:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.531
X-Spam-Level:
X-Spam-Status: No, score=-6.531 tagged_above=-999 required=5 tests=[AWL=0.068, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nchOTu1SAfGg for <emu@core3.amsl.com>; Wed, 3 Mar 2010 14:28:25 -0800 (PST)
Received: from mail128.messagelabs.com (mail128.messagelabs.com [216.82.250.131]) by core3.amsl.com (Postfix) with ESMTP id D8B5628C0F9 for <emu@ietf.org>; Wed, 3 Mar 2010 14:28:25 -0800 (PST)
X-VirusChecked: Checked
X-Env-Sender: khoeper@motorola.com
X-Msg-Ref: server-10.tower-128.messagelabs.com!1267655306!21553404!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [136.182.1.13]
Received: (qmail 21261 invoked from network); 3 Mar 2010 22:28:27 -0000
Received: from motgate3.mot.com (HELO motgate3.mot.com) (136.182.1.13) by server-10.tower-128.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 3 Mar 2010 22:28:27 -0000
Received: from il27exr04.cig.mot.com ([10.17.196.73]) by motgate3.mot.com (8.14.3/8.14.3) with ESMTP id o23MSLFK010655 for <emu@ietf.org>; Wed, 3 Mar 2010 15:28:26 -0700 (MST)
Received: from il27vts03 (il27vts03.cig.mot.com [10.17.196.87]) by il27exr04.cig.mot.com (8.13.1/Vontu) with SMTP id o23MSKsR013622 for <emu@ietf.org>; Wed, 3 Mar 2010 16:28:21 -0600 (CST)
Received: from de01exm68.ds.mot.com (de01exm68.am.mot.com [10.176.8.24]) by il27exr04.cig.mot.com (8.13.1/8.13.0) with ESMTP id o23MSKHm013618 for <emu@ietf.org>; Wed, 3 Mar 2010 16:28:20 -0600 (CST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 03 Mar 2010 17:27:58 -0500
Message-ID: <3A241A6B234BE948B8B474D261FEBC2F0729571A@de01exm68.ds.mot.com>
In-Reply-To: <6735e38c9874524655a4bbe39ffaab5b.squirrel@www.trepanning.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Emu] review of draft-ietf-emu-eaptunnel-req-04
Thread-Index: Acq7HthPj9A0Y7MmRVaYvtkOruoISQAAdHnQ
References: <70e5fb878f73a83d4ba7702e4dc46132.squirrel@www.trepanning.net> <AC1CFD94F59A264488DC2BEC3E890DE509BD34A6@xmb-sjc-225.amer.cisco.com> <3A241A6B234BE948B8B474D261FEBC2F07239D21@de01exm68.ds.mot.com> <a244565651e7f03494eda680a4ae636b.squirrel@www.trepanning.net> <3A241A6B234BE948B8B474D261FEBC2F0729536E@de01exm68.ds.mot.com> <30a512425eb4f0e1140dca0cc92eea30.squirrel@www.trepanning.net> <3A241A6B234BE948B8B474D261FEBC2F0729555F@de01exm68.ds.mot.com> <f78c0ed514c29c3e3cadd46d28731eb5.squirrel@www.trepanning.net> <3A241A6B234BE948B8B474D261FEBC2F0729562D@de01exm68.ds.mot.com> <61dde562d3f969274cb5cb5aabafa68b.squirrel@www.trepanning.net> <3A241A6B234BE948B8B474D261FEBC2F072956BA@de01exm68.ds.mot.com> <6735e38c9874524655a4bbe39ffaab5b.squirrel@www.trepanning.net>
From: Hoeper Katrin-QWKN37 <khoeper@motorola.com>
To: Dan Harkins <dharkins@lounge.org>
X-CFilter-Loop: Reflected
Cc: emu@ietf.org
Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 22:28:26 -0000

How does that authenticate the server if a user enters a password?

If the server says, yes that was the right password?



> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@lounge.org]
> Sent: Wednesday, March 03, 2010 4:14 PM
> To: Hoeper Katrin-QWKN37
> Cc: Dan Harkins; Joseph Salowey; emu@ietf.org
> Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> 
> 
>   Since they both use the same low-entropy password to perform their
> mutual authentication it is not, strictly speaking, just the peer's
> credential.
> 
>   Dan.
> 
> On Wed, March 3, 2010 1:45 pm, Hoeper Katrin-QWKN37 wrote:
> >
> > See inline.
> >> -----Original Message-----
> >> From: Dan Harkins [mailto:dharkins@lounge.org]
> >> Sent: Wednesday, March 03, 2010 3:39 PM
> >> To: Hoeper Katrin-QWKN37
> >> Cc: Dan Harkins; Joseph Salowey; emu@ietf.org
> >> Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> >>
> >>
> >>   Hi Katrin,
> >>
> >> On Wed, March 3, 2010 12:31 pm, Hoeper Katrin-QWKN37 wrote:
> >> > Dan,
> >> >
> >> > OK, I understand that the tunnel provides all these other feats.
> >> >
> >> > But why can't the server authenticate during the tunnel protocol?
I
> >> > still don't understand the use case for mutually anonymous
tunnels.
> >>
> >>   Because it doesn't have the right credential.
> >>
> >> > If the server has a certificate why can't it send it to the peer
> > before
> >> > or during the tunnel establishment?
> >>
> >>   If the server has a certificate then sending it to the peer
> >> would not really solve any problem. The peer would still need to
> >> have a reason to trust it and we're back to the problem of putting
> >> a trusted certificate in some certificate store. A global PKI to
> >> solve all of our certificate issues still has not materialized.
> >>
> >> > If the peer and server share a secret, than this could be used to
> >> > establish the tunnel.
> >>
> >>   If the peer and server share a secret they could use one of the
PSK
> >> ciphersuites for TLS but those are susceptible to a dictionary
attack
> >> and are therefore inappropriate.
> >>
> >>   The tunnel is being established with EAP-TLS so we are limited to
> >> TLS ciphersuites and the authentication they provide. If a TLS
> > ciphersuite
> >> was appropriate always and everywhere then we would not need any
other
> >> EAP methods, we'd just do EAP-TLS. But that is not the case. Also
it
> > is
> >> a requirement to tunnel additional EAP methods inside the tunnel so
> >> obviously there are EAP methods that provide something that a TLS
> >> ciphersuite does not.
> >>
> >> > What I am saying is what kind of server authentication
credentials
> > could
> >> > be used inside an anonymous tunnel that could not be used to
> >> > authenticate the server in the tunnel protocol? (given that
privacy
> > is
> >> > not the issue)
> >>
> >>   A low-entropy password that can easily be remembered and entered
by
> > a
> >> human with low probability of error.
> > [KH] I asked what kind of SERVER credentials not peer credentials.
> >>
> >>   Dan.
> >>
> >
> >
>

v2.23.0 | Report a Bug | By Email