Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Charles Clancy <> Wed, 24 August 2005 17:50 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E7zOt-00018E-H2; Wed, 24 Aug 2005 13:50:59 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E7zOq-000189-QC for; Wed, 24 Aug 2005 13:50:57 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id NAA08304 for <>; Wed, 24 Aug 2005 13:50:55 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.43) id 1E7zPB-0001LF-Db for; Wed, 24 Aug 2005 13:51:19 -0400
Received: from ismene ( []) by (8.12.10/8.12.5) with ESMTP id j7OHobfD008590; Wed, 24 Aug 2005 13:50:37 -0400 (EDT)
Date: Wed, 24 Aug 2005 13:45:19 -0400 (EDT)
From: Charles Clancy <>
X-X-Sender: clancy@ismene
To: Ali Fessi <>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <>
Message-ID: <Pine.GSO.4.60.0508241335240.11596@ismene>
References: <Pine.GSO.4.60.0508191330380.16954@ismene> <20050819210308.GI6659@binky.Central.Sun.COM> <> <> <> <Pine.GSO.4.60.0508220801430.1114@ismene> <35850EE42DFD2824F0DDBBC8@cumulus> <Pine.GSO.4.60.0508221008260.1174@ismene> <1DCACCAC04655B3AFE9733A8@cumulus> <Pine.GSO.4.60.0508221047001.1307@ismene> <20050822154044.GE7789@binky.Central.Sun.COM> <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a
Cc:, Bernard Aboba <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Wed, 24 Aug 2005, Ali Fessi wrote:

> - What is the benefit of having a TGT as a result of the authentication 
> for EAP?!! With native Kerberos, the TGT is used to get a service ticket 
> from the TGS to access kerberized services. What would be here the 
> kerberized service?! is it just the "network access"?! or is anyone 
> planning to realize different kerberized services at layer 2? Is this a 
> new requirement for 802.11?

Not only would it allow you to obtain a TGT, it would also allow you to 
use an existing TGT to get a "service ticket" for network access.  This is 
probably the less-likely scenario though, since talking to a KDC requires 
network access in the first place.

Consider the case of Win32 AFS on a laptop.  You sign onto the wireless 
network, and you can get a service ticket for AFS without having to 
reauthenticate to the KDC.

Another interesting idea would be to treat each 802.11i AP as a service, 
and you could obtain service tickets for them as you roam.

> - Would PKINIT really be an advantage for EAP?! The point with PKINIT is 
> that it supports authentication of the client with public key 
> cryptography. But isn't this already covered by EAP-TLS?

Well it gets you a TGT.  As long as you think getting a TGT is a good 
idea, then PKINIT would seem useful.

[ t. charles clancy ]--[ ]--[ ]
[ computer science ]-----[ university of maryland | college park ]

SECMECH mailing list