Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04

[Yaron Sheffer <yaronf@checkpoint.com>]

Hi Alan,

Initial provisioning by shipping the device with the trust anchor pre-installed is fine, if you're Verizon. But in many cases you don't control the device, and don't have a trusted path through which to transport the CA cert (I am thinking enterprise CA here, not a public CA). The combination of anonymous tunnel plus mutual auth with a one-time password allows you to do that.

But I'm OK with not making this option mandatory, since there are important use cases that don't need it.

Thanks,
	Yaron

> -----Original Message-----
> From: Alan DeKok [mailto:aland@deployingradius.com]
> Sent: Thursday, March 04, 2010 8:47
> To: Yaron Sheffer
> Cc: emu@ietf.org
> Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> 
> Yaron Sheffer wrote:
> > Joe, what Dan is proposing is a reasonable way to use a one-time
> password for the initial provisioning of a trust anchor. Initial
> provisioning is important for many types of deployments. Does the
> document allow an alternative secure way to do that?
> 
>   TLS-based methods can leverage server certificates.  This is already
> done in other areas (WiMAX, etc.)
> 
>   i.e. ship a device with a known CA, and on first provisioning, TLS
> checks the server certificate, and the user validates that the name of
> the server is what was expected.
> 
>   Since the document doesn't forbid anonymous methods, the only issue
> here is whether or not the document should make them mandatory to
> implement.  I agree with Joe, in that they shouldn't be mandatory.
> 
>   Alan DeKok.
> 
> Scanned by Check Point Total Security Gateway.