RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges

"Salowey, Joe" <> Fri, 26 August 2005 15:35 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E8gEu-00010z-Jw; Fri, 26 Aug 2005 11:35:32 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E8gEr-0000zC-Ny for; Fri, 26 Aug 2005 11:35:31 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id LAA27328 for <>; Fri, 26 Aug 2005 11:35:27 -0400 (EDT)
Received: from ([] by with esmtp (Exim 4.43) id 1E8gFb-0002Oj-GE for; Fri, 26 Aug 2005 11:36:16 -0400
Received: from ( by with ESMTP; 26 Aug 2005 08:35:20 -0700
X-IronPort-AV: i="3.96,144,1122879600"; d="scan'208"; a="336080344:sNHT32015388"
Received: from ( []) by (8.12.10/8.12.6) with ESMTP id j7QFZHQM009431; Fri, 26 Aug 2005 08:35:17 -0700 (PDT)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Date: Fri, 26 Aug 2005 08:40:10 -0700
Message-ID: <>
Thread-Topic: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Thread-Index: AcWqT6gsgxmbX/YDQEiO1EZfHBo1KAAADmGQ
From: "Salowey, Joe" <>
To: "Bernard Aboba" <>, "Shumon Huque" <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
Content-Transfer-Encoding: quoted-printable
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>


> -----Original Message-----
> From: Bernard Aboba [] 
> Sent: Friday, August 26, 2005 8:01 AM
> To: Shumon Huque
> Cc: Salowey, Joe;
> Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
> > The AAA server could perform the service ticket validation 
> on behalf 
> > of the NAS. This requires another round trip with the AAA 
> server, but 
> > I don't think this is too much of a problem.
> How does the EAP peer figure out the scope of usage of the 
> "network access service" ticket?  If each NAS is a separate 
> Kerberos principal, then the peer needs a distinct ticket for 
> each NAS;  if the AAA server is the principal, then it can 
> submit the same ticket to any NAS. 

[Joe] I don't think there is necessarily a problem service ticket for
the AAA.  This is how EAP typically works today. 

> > If we need the NAS to support Kerberos, then I think the barrier to 
> > practical deployment is too high. Or am I missing something?
> I think that the NAS needs to be modified even in the case 
> where the AAA server is the Kerberos principal, in order to 
> be able to securely inform the EAP peer of the ticket scope.  
> Otherwise, the EAP peer can't know when it needs to acquire 
> another ticket. 

[Joe] How would the NAS know anything about the ticket scope?  If you
are concerned about scope why would you trust the NAS to tell you?  It
would seem that this information needs to encoded in the ticket. Perhaps
scope can be derived from the service principal name. 

SECMECH mailing list