Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Charles Clancy <clancy@cs.umd.edu> Mon, 22 August 2005 14:54 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7Dgm-0008GA-26; Mon, 22 Aug 2005 10:54:16 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7Dgl-0008Fn-CK for secmech@megatron.ietf.org; Mon, 22 Aug 2005 10:54:15 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA20784 for <secmech@ietf.org>; Mon, 22 Aug 2005 10:54:13 -0400 (EDT)
Received: from carrierpigeon.cs.umd.edu ([128.8.129.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E7EHK-0003M5-Jh for secmech@ietf.org; Mon, 22 Aug 2005 11:32:04 -0400
Received: from ismene (ismene.cs.umd.edu [128.8.126.62]) by carrierpigeon.cs.umd.edu (8.12.10/8.12.5) with ESMTP id j7MEs0fD017183; Mon, 22 Aug 2005 10:54:00 -0400 (EDT)
Date: Mon, 22 Aug 2005 10:48:45 -0400 (EDT)
From: Charles Clancy <clancy@cs.umd.edu>
X-X-Sender: clancy@ismene
To: Josh Howlett <josh.howlett@bristol.ac.uk>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <1DCACCAC04655B3AFE9733A8@cumulus>
Message-ID: <Pine.GSO.4.60.0508221047001.1307@ismene>
References: <7210B31550AC934A8637D6619739CE6905C06510@e2k-sea-xch2.sea-alpha. cisco.com> <Pine.GSO.4.60.0508191330380.16954@ismene> <20050819210308.GI6659@binky.Central.Sun.COM> <20050820031035.GA5352@isc.upenn.edu> <43074F76.8000604@cs.umd.edu> <20050822044255.GC27685@isc.upenn.edu> <Pine.GSO.4.60.0508220801430.1114@ismene> <35850EE42DFD2824F0DDBBC8@cumulus> <Pine.GSO.4.60.0508221008260.1174@ismene> <1DCACCAC04655B3AFE9733A8@cumulus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Cc: secmech@ietf.org, Nicolas Williams <Nicolas.Williams@sun.com>
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

On Mon, 22 Aug 2005, Josh Howlett wrote:

> --On Monday, August 22, 2005 10:19:53 -0400 Charles Clancy 
> <clancy@cs.umd.edu> wrote:
>
>> On Mon, 22 Aug 2005, Josh Howlett wrote:
>> 
>>> On Mon, 22 Aug 2005, Charles Clancy <clancy@cs.umd.edu> wrote:
>>> 
>>>> Personally, I think a native EAP-Kerberos method that utilizes DTLS is
>>>> the way to go.
>>> 
>>> Why not take something like TTLSv1 and define a Kerberos binding to it?
>> 
>> I guess it's a tradeoff between outside dependencies and reinventing the
>> wheel.  TTLS hasn't been on the list of EAP methods seeking
>> standards-track action.  Regardless, this is another approach I
>> personally would be willing to support.
>
> Out of curiousity, what are the advantages of using native Kerberos, rather 
> than PAP inside a tunneled method which the AAA server verifies against the 
> KDC? (this is how FreeRADIUS currently implements "Kerberos" authentication).
>
> Perhaps I'm being a bit dim, but I feel like I'm missing the point.
>
> Or is the point simply to define a mechanism that EAP and GSS can share?

I'm not very familiar with this mechanism, but it doesn't like like you 
could get a TGT as a result of your authentication.

[ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]-----[ university of maryland | college park ]

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech