Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Shumon Huque <shuque@isc.upenn.edu> Thu, 25 August 2005 15:26 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8JcJ-0002xy-IH; Thu, 25 Aug 2005 11:26:11 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8JcI-0002xh-Gw for secmech@megatron.ietf.org; Thu, 25 Aug 2005 11:26:10 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA23246 for <secmech@ietf.org>; Thu, 25 Aug 2005 11:26:07 -0400 (EDT)
Received: from talkeetna.isc-net.upenn.edu ([128.91.197.188]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8Jcq-0006YQ-6W for secmech@ietf.org; Thu, 25 Aug 2005 11:26:44 -0400
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 577224479; Thu, 25 Aug 2005 11:26:09 -0400 (EDT)
Date: Thu, 25 Aug 2005 11:26:09 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Jari Arkko <jari.arkko@piuha.net>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Message-ID: <20050825152609.GB29211@isc.upenn.edu>
References: <5057734.1124708889160.JavaMail.servlet@kundenserver> <20050822114112.GA343@isc.upenn.edu> <430DCD75.5040601@piuha.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <430DCD75.5040601@piuha.net>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

On Thu, Aug 25, 2005 at 04:53:57PM +0300, Jari Arkko wrote:
> Shumon Huque wrote:
> 
> >On Mon, Aug 22, 2005 at 01:08:09PM +0200, t.otto@sharevolution.de wrote:
> > 
> >>There already exists a Kerberos extension to TLS, RFC 2712 (Oct.99),
> >>which can be run in EAP-TLS, so the question is: 
> >>
> >>* Is there need for EAP-Kerberos at all? * 
> >>   
> >RFC 2712 doesn't provide for initial and service ticket 
> >acquisition. So, at the very least an EAP method that
> >allows you to do that needs to be developed.
> > 
> >
> Do you need a fix to EAP, or do you a fix to kerberos-in-TLS?
> The latter might be applicable in a number of other scenarios,
> too...
> 
> --Jari

Most application protocols that support Kerberos authentication 
today assume that ticket acquisition is performed out of band.
The Kerberos ciphersuite specification for TLS takes the same
architectural approach. Although, I realize that TLS itself isn't
an application, but a framework. Hence perhaps it should support 
a way to do ticket acquisition. Any thoughts?

With EAP for network access authentication, the ticket acquisition
step itself needs to be supported via an EAP method. I don't have 
any strong opinions about whether there should be a separate ticket 
acquistion method, or whether it should be part of an integrated 
Kerberos method that does ticket acquisition and authentication. 
But the latter seems simpler.

One other possibility is for TLS to support GSS-API and then
an IAKERB GSS-API mechnism could provide ticket acquisition
support. I think Nico may have mentioned this already. Again,
this requires updated versions of both those protocols (in
addition to TLS) to be usable in EAP, and hence we could be 
waiting a while :-)

--Shumon.

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech