RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Charles Clancy <clancy@cs.umd.edu> Fri, 19 August 2005 18:57 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E6C3t-0000C2-Vz; Fri, 19 Aug 2005 14:57:53 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E6C3t-0000Bx-0n for secmech@megatron.ietf.org; Fri, 19 Aug 2005 14:57:53 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA21468 for <secmech@ietf.org>; Fri, 19 Aug 2005 14:57:51 -0400 (EDT)
Received: from carrierpigeon.cs.umd.edu ([128.8.129.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E6Cds-0002g7-I4 for secmech@ietf.org; Fri, 19 Aug 2005 15:35:05 -0400
Received: from ismene (ismene.cs.umd.edu [128.8.126.62]) by carrierpigeon.cs.umd.edu (8.12.10/8.12.5) with ESMTP id j7JIvZfD025543; Fri, 19 Aug 2005 14:57:35 -0400 (EDT)
Date: Fri, 19 Aug 2005 14:52:22 -0400 (EDT)
From: Charles Clancy <clancy@cs.umd.edu>
X-X-Sender: clancy@ismene
To: "Salowey, Joe" <jsalowey@cisco.com>
Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <7210B31550AC934A8637D6619739CE6905C06510@e2k-sea-xch2.sea-alpha.cisco.com>
Message-ID: <Pine.GSO.4.60.0508191330380.16954@ismene>
References: <7210B31550AC934A8637D6619739CE6905C06510@e2k-sea-xch2.sea-alpha.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a
Cc: secmech@ietf.org, Nicolas Williams <Nicolas.Williams@sun.com>
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

On Fri, 19 Aug 2005, Salowey, Joe wrote:

>> From: Nicolas Williams [mailto:Nicolas.Williams@sun.com]
>>
>> On Wed, Aug 17, 2005 at 06:14:07PM -0400, Charles Clancy wrote:
>>>
>>> IMHO, Framework Bindings sounds like the way to go.  It gives you more 
>>> control over which mechanisms are used in which frameworks.  Each 
>>> framework has a different threat model, and not all mechanisms from 
>>> one framework may be good in another.  For example, using basic krb5 
>>> in 802.11i-EAP is a bad idea because of dictionary attacks.
>>
>> Sure, but you could always do 
>> krb5-over-TLS-with-cryptographic-bindings.
>>
>
> [Joe] How would this be instantiated?  Currently EAP does not run over a 
> specific security layer.  There are EAP mechanisms that provide a secure 
> tunnel for running other mechanisms.  Would an EAP to GSS bridge have to 
> be a tunneling method?

Whatever happened to EAP-GSS?

http://www.drizzle.com/~aboba/IEEE/draft-aboba-pppext-eapgss-12.txt

"krb5->GSS-API->EAP-GSS->EAP-TTLS->EAP" would work.  Of course, the length 
of that string should be a motivator for bindings over bridges.

[ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]-----[ university of maryland | college park ]

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech