Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Ali Fessi <> Wed, 24 August 2005 16:50 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E7ySR-0002Ga-3c; Wed, 24 Aug 2005 12:50:35 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E7ySP-0002Fn-1A for; Wed, 24 Aug 2005 12:50:33 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id MAA04252 for <>; Wed, 24 Aug 2005 12:50:30 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.43) id 1E7ySj-0007S4-Kl for; Wed, 24 Aug 2005 12:50:55 -0400
Received: from localhost (loopback []) by (Postfix) with ESMTP id C73A211A; Wed, 24 Aug 2005 18:50:18 +0200 (MST)
Received: from ([]) by localhost (mx5 []) (amavisd-new, port 10024) with ESMTP id 20350-05; Wed, 24 Aug 2005 18:50:16 +0200 (DFT)
Received: from [] (rouen.Informatik.Uni-Tuebingen.De []) by (Postfix) with ESMTP id B56E6117; Wed, 24 Aug 2005 18:50:15 +0200 (MST)
Message-ID: <>
Date: Wed, 24 Aug 2005 18:50:13 +0200
From: Ali Fessi <>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
References: <Pine.GSO.4.60.0508191330380.16954@ismene> <20050819210308.GI6659@binky.Central.Sun.COM> <> <> <> <Pine.GSO.4.60.0508220801430.1114@ismene> <35850EE42DFD2824F0DDBBC8@cumulus> <Pine.GSO.4.60.0508221008260.1174@ismene> <1DCACCAC04655B3AFE9733A8@cumulus> <Pine.GSO.4.60.0508221047001.1307@ismene> <20050822154044.GE7789@binky.Central.Sun.COM>
In-Reply-To: <20050822154044.GE7789@binky.Central.Sun.COM>
X-Virus-Scanned: by amavisd-new (McAfee AntiVirus) at
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a1852b4f554b02e7e4548cc7928acc1f
Cc: Bernard Aboba <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============0514063642=="

Dear all,

I still don't get the point for using Kerberos as EAP method.

- What is the benefit of having a TGT as a result of the authentication 
for EAP?!! With native Kerberos, the TGT is used to get a service ticket 
from the TGS to access kerberized services. What would be here the 
kerberized service?! is it just the "network access"?! or is anyone 
planning to realize different kerberized services at layer 2? Is this a 
new requirement for 802.11?

- What would be the benefit of such a EAP-Kerberos (or EAP-IAKERB) 
method compared to existing EAP methods that are currently used, e.g. 
EAP-TTLS+PAP with a radius/diameter server at the end (except that this 
method might be a "misuse" of kerberos as mentioned earlier in this 
mailing list). What would be the arguments that would motivate operators 
to substitute their infrastructure with a new one supporting 
EAP-Kerberos or EAP-IAKERB?

- Would PKINIT really be an advantage for EAP?! The point with PKINIT is 
that it supports authentication of the client with public key 
cryptography. But isn't this already covered by EAP-TLS?

- Wouldn't be helpful to talk to the authors of the EAP GSS draft 
(Aboba) and find out why they stopped to work on this document?

IMHO, it seems that it makes sense to combine different frameworks with 
different authentication mechanisms as intended by secmech. But I just 
would like to have some clarification, why this would be useful.

Any comments are welcome!
Ali Fessi
Computer Networks and Internet
Wilhelm Schickard Institute for Computer Science
University of Tuebingen, Germany
Phone: +49 7071 29-70534 / Fax: +49 7071 29-5220

Nicolas Williams wrote:
 > On Mon, Aug 22, 2005 at 10:48:45AM -0400, Charles Clancy wrote:
 >>On Mon, 22 Aug 2005, Josh Howlett wrote:
 >>>Out of curiousity, what are the advantages of using native Kerberos,
 >>>rather than PAP inside a tunneled method which the AAA server verifies
 >>>against the KDC? (this is how FreeRADIUS currently implements 
 >>>Perhaps I'm being a bit dim, but I feel like I'm missing the point.
 >>>Or is the point simply to define a mechanism that EAP and GSS can share?
 >>I'm not very familiar with this mechanism, but it doesn't like like you
 >>could get a TGT as a result of your authentication.
 > Exactly.  Plus, you don't get the benefit of new Kerberos V pre-auth
 > mechanisms, (e.g., PKINIT).
 > Nico

SECMECH mailing list