RE: [Emu] EMU PSK Method work Item
Magnus Nyström <magnus@rsasecurity.com> Thu, 02 February 2006 14:07 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F4f7Y-0008RA-4e; Thu, 02 Feb 2006 09:07:36 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F4f6r-0007rS-Ir for emu@megatron.ietf.org; Thu, 02 Feb 2006 09:06:55 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA05479 for <emu@ietf.org>; Thu, 2 Feb 2006 09:05:12 -0500 (EST)
Received: from vulcan.rsasecurity.com ([216.162.240.130]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F4f5E-00041Z-RL for emu@ietf.org; Thu, 02 Feb 2006 09:05:13 -0500
Received: from hyperion.na.rsa.net by vulcan.rsasecurity.com via smtpd (for ietf-mx.ietf.org [132.151.6.1]) with ESMTP; Thu, 2 Feb 2006 08:53:25 -0500
Received: from sdtihq24.securid.com by hyperion.na.rsa.net with ESMTP id BNL82228; Thu, 2 Feb 2006 08:53:06 -0500 (EST)
Received: from rsana-ex-hq1.NA.RSA.NET (e2k.rsa.net [10.100.8.50]) by sdtihq24.securid.com (8.12.10/8.12.9) with ESMTP id k12Dr5Nt008768; Thu, 2 Feb 2006 08:53:06 -0500 (EST)
Received: from rsana-ex-sm1.NA.RSA.NET ([10.80.211.17]) by rsana-ex-hq1.NA.RSA.NET with Microsoft SMTPSVC(6.0.3790.211); Thu, 2 Feb 2006 08:53:05 -0500
Received: from localhost ([10.133.240.22]) by rsana-ex-sm1.NA.RSA.NET with Microsoft SMTPSVC(6.0.3790.211); Thu, 2 Feb 2006 05:53:03 -0800
Date: Thu, 02 Feb 2006 14:53:27 +0100
From: Magnus Nyström <magnus@rsasecurity.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>
Subject: RE: [Emu] EMU PSK Method work Item
In-Reply-To: <BAY106-F2019DAA344DFEEE6529397930B0@phx.gbl>
Message-ID: <Pine.WNT.4.62.0602021450580.4164@CTO-LAPTOP.eu.rsa.net>
References: <BAY106-F2019DAA344DFEEE6529397930B0@phx.gbl>
X-X-Sender: mnystrom@[10.80.211.17]
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 02 Feb 2006 13:53:04.0151 (UTC) FILETIME=[FD016A70:01C627FF]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3002fc2e661cd7f114cb6bae92fe88f1
Cc: emu@ietf.org
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: magnus@rsasecurity.com
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
Sender: emu-bounces@ietf.org
Errors-To: emu-bounces@ietf.org
But could not EAP-TLS be modified/updated to also allow "pure" TLS-PSK, without requiring use of server certificates? AFAICS this would still be TLS, not "TLS-derived" or "based on TLS". -- Magnus On Wed, 1 Feb 2006, Bernard Aboba wrote: >> It seems we might achieve this goal and the two other work group items, >> TLS-based EAP method and existing password database support, using a >> single EAP method, e.g., a TLS based EAP method supporting PSK. > > One of the attractions of PSK is to implement it on an embedded device. > So while it is possible to address the PSK work item using a TLS-derived > protocol, attempting to glom this onto the EAP-TLS specification is a > bad idea. Since EAP-TLS *requires* certificate support, adding PSK on to > it would effectively require embedded devices to include certificate > support just to support PSK, whether they needed to support certificates > or not. This would greatly increase the required footprint. > > Of course, EMU WG could create a new protocol based on TLS that would > *require* PSK support and allow optional certificate support. However, this > would not be EAP-TLS but something new. > > > >> This would save us the work of trying to define two or three EAP >> methods. One thing might help us is to define what exactly is "strong >> shared secret", "compact", and "simple" in a requirement or problem >> statement. They might be expressed in turns of desired number of >> exchanges, computing power, cipher suites limitations, etc. The security >> requriements are already addressed by RFC 4017. I suggest we do the same >> for the other two items. Then we can evaluate whether it is feasible to >> achieve the three goals with a single EAP method and go from there. >> >> > -----Original Message----- >> > From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On >> > Behalf Of Joseph Salowey (jsalowey) >> > Sent: Monday, January 30, 2006 12:22 AM >> > To: emu@ietf.org >> > Subject: [Emu] EMU PSK Method work Item >> > >> > The first work item on the EMU charter is to start work on a >> > shared secret EAP method. The item on the charter is: >> > >> > "A mechanism based on strong shared secrets that meets RFC >> > 3748 and RFC 4017 requirements. This mechanism should strive >> > to be simple and compact for implementation in resource >> > constrained environments." >> > >> > The emphasis here is to create a simple, secure mechanism to >> > support pre shared secret keys. Support for optional >> > enhancements may be considered in the design as long as it >> > does not bog down the progress of the work item. Current >> > work in this area which should be considered in the design including: >> > >> > EAP-PAX - draft-clancy-eap-pax-06.txt >> > EAP-PSK - draft-bersani-eap-psk-09.txt >> > EAP-SAKE - draft-vanderveen-eap-sake-00.txt >> > EAP-IKEv2 - draft-eronen-ipsec-ikev2-eap-auth-04.txt >> > TLS-PSK - RFC4279 >> > >> > Please send email to the chairs if you are interested in >> > participating as a contributor on the shared secret method >> > design team along with a description of your experience. >> > >> > _______________________________________________ >> > Emu mailing list >> > Emu@ietf.org >> > https://www1.ietf.org/mailman/listinfo/emu >> > >> >> _______________________________________________ >> Emu mailing list >> Emu@ietf.org >> https://www1.ietf.org/mailman/listinfo/emu > > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www1.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
- Re: [Emu] EMU PSK Method work Item Bernard Aboba
- RE: [Emu] EMU PSK Method work Item Magnus Nyström
- [Emu] EMU PSK Method work Item Salowey, Joe
- RE: [Emu] EMU PSK Method work Item Hao Zhou (hzhou)
- RE: [Emu] EMU PSK Method work Item Bernard Aboba
- RE: [Emu] EMU PSK Method work Item Hao Zhou (hzhou)
- Re: [Emu] EMU PSK Method work Item Thomas Otto
- RE: [Emu] EMU PSK Method work Item Bernard Aboba
- RE: [Emu] EMU PSK Method work Item Salowey, Joe
- RE: [Emu] EMU PSK Method work Item Salowey, Joe
- Re: [Emu] EMU PSK Method work Item Sam Hartman
- Re: [Emu] EMU PSK Method work Item Sam Hartman
- Re: [Emu] EMU PSK Method work Item Bernard Aboba
- Re: [Emu] EMU PSK Method work Item Jari Arkko
- Re: [Emu] EMU PSK Method work Item Jari Arkko
- [Emu] RFC 2716: request for implementations Bernard Aboba
- Re: [Emu] RFC 2716: request for implementations Jari Arkko
- Re: [Emu] RFC 2716: request for implementations Bernard Aboba
- Re: [Emu] RFC 2716: request for implementations Jari Arkko