Re: [SECMECH] Method work
Jari Arkko <jari.arkko@piuha.net> Thu, 25 August 2005 13:33 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8HrZ-0002Bv-Ec; Thu, 25 Aug 2005 09:33:49 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8HrX-0002Bp-TE for secmech@megatron.ietf.org; Thu, 25 Aug 2005 09:33:47 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA17648 for <secmech@ietf.org>; Thu, 25 Aug 2005 09:33:46 -0400 (EDT)
Received: from p130.piuha.net ([193.234.218.130]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8Hs3-0003Nm-Ki for secmech@ietf.org; Thu, 25 Aug 2005 09:34:21 -0400
Received: from [127.0.0.1] (p130.piuha.net [193.234.218.130]) by p130.piuha.net (Postfix) with ESMTP id 2D18989852; Thu, 25 Aug 2005 16:33:28 +0300 (EEST)
Message-ID: <430DC8B3.9010309@piuha.net>
Date: Thu, 25 Aug 2005 16:33:39 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Salowey, Joe" <jsalowey@cisco.com>
Subject: Re: [SECMECH] Method work
References: <7210B31550AC934A8637D6619739CE6905C06A6B@e2k-sea-xch2.sea-alpha.cisco.com>
In-Reply-To: <7210B31550AC934A8637D6619739CE6905C06A6B@e2k-sea-xch2.sea-alpha.cisco.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1b0e72ff1bbd457ceef31828f216a86
Content-Transfer-Encoding: 7bit
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org
Salowey, Joe wrote: >I would like to identify which mechanism types there is interest in >working on. Below is a list of various authentication methods that >people have expressed interest in having support for in EAP and other >frameworks. It may not be the case that we need a separate mechanism >for each of these. I'd like to know who has interest in contributing >and reviewing (please indicate either or both) specifications for each >of these mechanism types. > >1. X.509 Certificate credentials - (possible revision of EAP-TLS >(RFC2716)) - applicable to EAP, possibly applicable to GSS and SASL. >Desired by IEEE 802.11 for EAP. > > I think we should rev EAP-TLS at the minimum, just to make a PS out of it and fix some bugs & provide additional information where necessary. We probably need to resist the urge to add a lot of stuff to EAP-TLS in such a revision. Though I'm kind of interested in adding channel bindings. But I'm not sure if that's doable in a backwards compatible way, without either a major change in EAP-TLS or an extension in TLS. >2. Shared Secret - pre-shared secret method. Applicable to EAP and GSS, >possibly SASL. Desired by IEEE 802.11 for EAP. > > Yes, this is perhaps my top priority item. My current thinking of what we need here is a simple-to-implement method that is really shared secret, not password based, and something that would provide a reasonable candidate for people to implement in their products and reference as a mandatory-to- implement for some link layer. One question is what the value of EAP-TLS + TLS PSK would be in this context. To me this would satisfy the implementation simplicity requirement; most products should be able to take TLS in rather easily. However, there are also other reasons for developing new EAP methods (channel bindings is one reason), so we'd have to look at how to arrange for those other reasons. >3. Password based - essentially a shared secret mechanism that provides >resistance to dictionary attacks. It should support various backend >databases of password that use different storage techniques and perhaps >support for one time tokens as well. Could use something related to EKE >or a tunneling approach. Applicable to EAP, GSS, and SASL. Desired by >IEEE 802.11 for EAP. > > This would also be very useful. Personally I'm a bit more on thin ice here when it comes to the specific methods and whether there are any potential IPR issues etc. But I know this would be very much needed from a customer perspective. >4. Tunneling - a tunneling method is useful to protect weaker >authentication mechanisms. Tunneling methods are also used to exchange >other types of authentication data. Applicability EAP and GSS possibly >SASL. > > This is perhaps the widest class of currently used EAP methods, all proprietary and/or exist only in drafty draft state. One issue here is whether we'd be able to find consensus, or would the folks who have their own tunnel methods be fighting for "their" approach? Another issue is to what extent having a good solution for #3 would lessen the need for #4. >5. Kerberos - Something that provide for initial authentication and a >strategy for resisting dictionary attacks. Applicable to EAP, possibly >GSS. > > I don't currently see a big customer demand for this. But I could be viewing at the wrong "market segment". Other: enrollment, perhaps a la what Rohan Mahy wanted to do in the last EAP WG meeting. --Jari >Thanks, > >Joe > >_______________________________________________ >SECMECH mailing list >SECMECH@lists.ietf.org >https://www1.ietf.org/mailman/listinfo/secmech > > > > _______________________________________________ SECMECH mailing list SECMECH@lists.ietf.org https://www1.ietf.org/mailman/listinfo/secmech
- Re: [SECMECH] Method work Jari Arkko
- [SECMECH] Method work Salowey, Joe
- Re: [SECMECH] Method work Nicolas Williams
- RE: [SECMECH] Method work Salowey, Joe