Re: [SECMECH] Re: Identity Protection in EAP-TLS

Mohamad Badra <badra@enst.fr> Wed, 07 June 2006 00:01 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnlUS-0003iQ-9F; Tue, 06 Jun 2006 20:01:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnlUR-0003iL-7u for secmech@ietf.org; Tue, 06 Jun 2006 20:01:39 -0400
Received: from smtp1-g19.free.fr ([212.27.42.27]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnlUP-0005F4-W0 for secmech@ietf.org; Tue, 06 Jun 2006 20:01:39 -0400
Received: from enst.fr (mar92-11-82-245-209-5.fbx.proxad.net [82.245.209.5]) by smtp1-g19.free.fr (Postfix) with ESMTP id 03BA2911B8; Wed, 7 Jun 2006 02:01:36 +0200 (CEST)
Message-ID: <44861757.9070107@enst.fr>
Date: Wed, 07 Jun 2006 02:01:27 +0200
From: Mohamad Badra <badra@enst.fr>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.0.2) Gecko/20030208 Netscape/7.02
X-Accept-Language: fr-fr, fr
MIME-Version: 1.0
To: Simon Josefsson <jas@extundo.com>
Subject: Re: [SECMECH] Re: Identity Protection in EAP-TLS
References: <5.2.1.1.0.20060601232742.03866c50@pop.tele2.fr> <8764jkse04.fsf@latte.josefsson.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Errors-To: secmech-bounces@lists.ietf.org

Hi Simon,

Simon Josefsson a écrit:
> How would your approach compare to using TLS-PSK to set up a TLS
> connection, and then within that TLS session, re-handshake with client
> certificates?  The client certificates would then be encrypted.

The document assumes that there is no PSK shared between the client and 
the server. Thus, there is no way to encrypt the certificate unless we 
key derived from the premaster secret (per-session key).

We already published a document (EAP-Double-TLS) which runs like your 
approch: establishing a TLS shared secret Handshake to set up a 
protected connection and therefore an Handshake with certificate exchange.

> /Simon

Best regards
Badra



_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech