Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

[Nicolas Williams <Nicolas.Williams@sun.com>]

On Fri, Aug 19, 2005 at 01:12:22PM -0500, Nicolas Williams wrote:
> On Fri, Aug 19, 2005 at 10:25:24AM -0700, Salowey, Joe wrote:
> > > From: Charles Clancy [mailto:clancy@cs.umd.edu] 
> > > 
> > > IMHO, Framework Bindings sounds like the way to go.  It gives 
> > > you more control over which mechanisms are used in which 
> > > frameworks.  Each framework has a different threat model, and 
> > > not all mechanisms from one framework may be good in another. 
> > >  For example, using basic krb5 in 802.11i-EAP is a bad idea 
> > > because of dictionary attacks.
> > > 
> > [Joe] I tend to agree, however I think that bridge mechanisms or
> > something similar can be useful tools for pulling things together.  One
> > example is a "generic" security layer that could use EAP keying
> > material.  Another may be a GSS-API mehcnaism that can make use of EAP
> > methods to address some of the concerns Pasi had raised with respect to
> > AAA integration. 
> 
> I too tend to agree.  Bridges are clearly feasible, as SASL support for
> GSS-API mechanisms demonstrates.  But bridges between EAP and any
> client-initiated frameworks will generally cost a round-trip, so for EAP
> vs. pretty much any other security framework it will be more appealing
> to develop framework bindings of one framework's mechanisms to the
> other.

I forgot to mention the counter-argument, namely that, in the short-term
at least, a round-trip is a small price to pay for lowering the cost, in
time and effort, of making EAP's or SASL/GSS-API's mechanisms available
to the other.

Nico
-- 

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech