Re: [SECMECH] Re: Identity Protection in EAP-TLS
Mohamad Badra <badra@enst.fr> Wed, 07 June 2006 00:01 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnlUS-0003iQ-9F; Tue, 06 Jun 2006 20:01:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnlUR-0003iL-7u for secmech@ietf.org; Tue, 06 Jun 2006 20:01:39 -0400
Received: from smtp1-g19.free.fr ([212.27.42.27]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnlUP-0005F4-W0 for secmech@ietf.org; Tue, 06 Jun 2006 20:01:39 -0400
Received: from enst.fr (mar92-11-82-245-209-5.fbx.proxad.net [82.245.209.5]) by smtp1-g19.free.fr (Postfix) with ESMTP id 03BA2911B8; Wed, 7 Jun 2006 02:01:36 +0200 (CEST)
Message-ID: <44861757.9070107@enst.fr>
Date: Wed, 07 Jun 2006 02:01:27 +0200
From: Mohamad Badra <badra@enst.fr>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.0.2) Gecko/20030208 Netscape/7.02
X-Accept-Language: fr-fr, fr
MIME-Version: 1.0
To: Simon Josefsson <jas@extundo.com>
Subject: Re: [SECMECH] Re: Identity Protection in EAP-TLS
References: <5.2.1.1.0.20060601232742.03866c50@pop.tele2.fr> <8764jkse04.fsf@latte.josefsson.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Errors-To: secmech-bounces@lists.ietf.org
Hi Simon, Simon Josefsson a écrit: > How would your approach compare to using TLS-PSK to set up a TLS > connection, and then within that TLS session, re-handshake with client > certificates? The client certificates would then be encrypted. The document assumes that there is no PSK shared between the client and the server. Thus, there is no way to encrypt the certificate unless we key derived from the premaster secret (per-session key). We already published a document (EAP-Double-TLS) which runs like your approch: establishing a TLS shared secret Handshake to set up a protected connection and therefore an Handshake with certificate exchange. > /Simon Best regards Badra _______________________________________________ SECMECH mailing list SECMECH@lists.ietf.org https://www1.ietf.org/mailman/listinfo/secmech
- [SECMECH] Identity Protection in EAP-TLS Pascal Urien
- [SECMECH] Re: Identity Protection in EAP-TLS Simon Josefsson
- Re: [SECMECH] Re: Identity Protection in EAP-TLS Mohamad Badra