Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Shumon Huque <> Thu, 25 August 2005 15:26 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E8JcJ-0002xy-IH; Thu, 25 Aug 2005 11:26:11 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E8JcI-0002xh-Gw for; Thu, 25 Aug 2005 11:26:10 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id LAA23246 for <>; Thu, 25 Aug 2005 11:26:07 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.43) id 1E8Jcq-0006YQ-6W for; Thu, 25 Aug 2005 11:26:44 -0400
Received: by (Postfix, from userid 4127) id 577224479; Thu, 25 Aug 2005 11:26:09 -0400 (EDT)
Date: Thu, 25 Aug 2005 11:26:09 -0400
From: Shumon Huque <>
To: Jari Arkko <>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Message-ID: <>
References: <5057734.1124708889160.JavaMail.servlet@kundenserver> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Organization: University of Pennsylvania
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Thu, Aug 25, 2005 at 04:53:57PM +0300, Jari Arkko wrote:
> Shumon Huque wrote:
> >On Mon, Aug 22, 2005 at 01:08:09PM +0200, wrote:
> > 
> >>There already exists a Kerberos extension to TLS, RFC 2712 (Oct.99),
> >>which can be run in EAP-TLS, so the question is: 
> >>
> >>* Is there need for EAP-Kerberos at all? * 
> >>   
> >RFC 2712 doesn't provide for initial and service ticket 
> >acquisition. So, at the very least an EAP method that
> >allows you to do that needs to be developed.
> > 
> >
> Do you need a fix to EAP, or do you a fix to kerberos-in-TLS?
> The latter might be applicable in a number of other scenarios,
> too...
> --Jari

Most application protocols that support Kerberos authentication 
today assume that ticket acquisition is performed out of band.
The Kerberos ciphersuite specification for TLS takes the same
architectural approach. Although, I realize that TLS itself isn't
an application, but a framework. Hence perhaps it should support 
a way to do ticket acquisition. Any thoughts?

With EAP for network access authentication, the ticket acquisition
step itself needs to be supported via an EAP method. I don't have 
any strong opinions about whether there should be a separate ticket 
acquistion method, or whether it should be part of an integrated 
Kerberos method that does ticket acquisition and authentication. 
But the latter seems simpler.

One other possibility is for TLS to support GSS-API and then
an IAKERB GSS-API mechnism could provide ticket acquisition
support. I think Nico may have mentioned this already. Again,
this requires updated versions of both those protocols (in
addition to TLS) to be usable in EAP, and hence we could be 
waiting a while :-)


SECMECH mailing list