[SECMECH] Re: Identity Protection in EAP-TLS

Simon Josefsson <jas@extundo.com> Tue, 06 June 2006 22:45 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnkIX-0005Ie-JM; Tue, 06 Jun 2006 18:45:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Flvj2-00048g-Sl for secmech@ietf.org; Thu, 01 Jun 2006 18:33:08 -0400
Received: from 178.230.13.217.in-addr.dgcsystems.net ([217.13.230.178] helo=yxa.extundo.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Flvj1-00052f-Fj for secmech@ietf.org; Thu, 01 Jun 2006 18:33:08 -0400
Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id k51MWxpU011867 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 Jun 2006 00:33:00 +0200
From: Simon Josefsson <jas@extundo.com>
To: Pascal Urien <urienp@tele2.fr>
References: <5.2.1.1.0.20060601232742.03866c50@pop.tele2.fr>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:060601:urienp@tele2.fr::lzS6wALLLDN34yr+:2t3/
X-Hashcash: 1:22:060601:secmech@ietf.org::pHHyeJK02BF+Gx9b:ENpi
Date: Fri, 02 Jun 2006 00:32:59 +0200
In-Reply-To: <5.2.1.1.0.20060601232742.03866c50@pop.tele2.fr> (Pascal Urien's message of "Thu, 01 Jun 2006 23:27:59 +0200")
Message-ID: <8764jkse04.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00, FORGED_RCVD_HELO autolearn=ham version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32
X-Mailman-Approved-At: Tue, 06 Jun 2006 18:45:16 -0400
Cc: secmech@ietf.org
Subject: [SECMECH] Re: Identity Protection in EAP-TLS
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Errors-To: secmech-bounces@lists.ietf.org

Pascal Urien <urienp@tele2.fr> writes:

> Hi Everybody,
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>
>
> 	Title		: Identity Protection within EAP-TLS
> 	Author(s)	: P. Urien, M. Badra
> 	Filename	: draft-urien-badra-eap-tls-identity-protection-00.txt
> 	Pages		: 7
> 	Date		: 2006-5-31
> 	
> This document defines a mechanism providing EAP-TLS identity
> protection.
>
> It defines new TLS extension, in order to negotiate the symmetric
> encryption algorithm that is used to encrypt or decrypt the client's
> certificate.

How would your approach compare to using TLS-PSK to set up a TLS
connection, and then within that TLS session, re-handshake with client
certificates?  The client certificates would then be encrypted.

/Simon

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech