IETF Logo Mail Archive

Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04

Alan DeKok <aland@deployingradius.com> Thu, 04 March 2010 06:47 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC3B73A6802 for <emu@core3.amsl.com>; Wed, 3 Mar 2010 22:47:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLAxRrXClynT for <emu@core3.amsl.com>; Wed, 3 Mar 2010 22:47:21 -0800 (PST)
Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id BFAE228C138 for <emu@ietf.org>; Wed, 3 Mar 2010 22:47:21 -0800 (PST)
Message-ID: <4B8F577A.2030002@deployingradius.com>
Date: Thu, 04 Mar 2010 07:47:22 +0100
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Yaron Sheffer <yaronf@checkpoint.com>
References: <mailman.918.1267675512.4805.emu@ietf.org> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BE05CB5865@il-ex01.ad.checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BE05CB5865@il-ex01.ad.checkpoint.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "emu@ietf.org" <emu@ietf.org>
Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 06:47:26 -0000

Yaron Sheffer wrote:
> Joe, what Dan is proposing is a reasonable way to use a one-time password for the initial provisioning of a trust anchor. Initial provisioning is important for many types of deployments. Does the document allow an alternative secure way to do that?

  TLS-based methods can leverage server certificates.  This is already
done in other areas (WiMAX, etc.)

  i.e. ship a device with a known CA, and on first provisioning, TLS
checks the server certificate, and the user validates that the name of
the server is what was expected.

  Since the document doesn't forbid anonymous methods, the only issue
here is whether or not the document should make them mandatory to
implement.  I agree with Joe, in that they shouldn't be mandatory.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email