Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Nicolas Williams <Nicolas.Williams@sun.com> Wed, 24 August 2005 18:27 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7zy5-0004tg-0d; Wed, 24 Aug 2005 14:27:21 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7zy2-0004tb-QB for secmech@megatron.ietf.org; Wed, 24 Aug 2005 14:27:19 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA10015 for <secmech@ietf.org>; Wed, 24 Aug 2005 14:27:17 -0400 (EDT)
Received: from nwkea-mail-2.sun.com ([192.18.42.14]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E7zyL-0002TI-BT for secmech@ietf.org; Wed, 24 Aug 2005 14:27:42 -0400
Received: from centralmail2brm.Central.Sun.COM ([129.147.62.14]) by nwkea-mail-2.sun.com (8.12.10/8.12.9) with ESMTP id j7OIR9HT005206 for <secmech@ietf.org>; Wed, 24 Aug 2005 11:27:09 -0700 (PDT)
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail2brm.Central.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL, v2.2) with ESMTP id j7OIR8LG007409 for <secmech@ietf.org>; Wed, 24 Aug 2005 12:27:08 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.13.3+Sun/8.13.3) with ESMTP id j7OIR7W8010279; Wed, 24 Aug 2005 13:27:07 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.13.3+Sun/8.13.3/Submit) id j7OIR5t4010278; Wed, 24 Aug 2005 13:27:05 -0500 (CDT)
Date: Wed, 24 Aug 2005 13:27:05 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Charles Clancy <clancy@cs.umd.edu>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Message-ID: <20050824182705.GE10174@binky.Central.Sun.COM>
References: <43074F76.8000604@cs.umd.edu> <20050822044255.GC27685@isc.upenn.edu> <Pine.GSO.4.60.0508220801430.1114@ismene> <35850EE42DFD2824F0DDBBC8@cumulus> <Pine.GSO.4.60.0508221008260.1174@ismene> <1DCACCAC04655B3AFE9733A8@cumulus> <Pine.GSO.4.60.0508221047001.1307@ismene> <20050822154044.GE7789@binky.Central.Sun.COM> <430CA545.3020109@uni-tuebingen.de> <Pine.GSO.4.60.0508241335240.11596@ismene>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.60.0508241335240.11596@ismene>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: secmech@ietf.org, Bernard Aboba <aboba@internaut.com>
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

On Wed, Aug 24, 2005 at 01:45:19PM -0400, Charles Clancy wrote:
> On Wed, 24 Aug 2005, Ali Fessi wrote:
> 
> >- What is the benefit of having a TGT as a result of the authentication 
> >for EAP?!! With native Kerberos, the TGT is used to get a service ticket 
> >from the TGS to access kerberized services. What would be here the 
> >kerberized service?! is it just the "network access"?! or is anyone 
> >planning to realize different kerberized services at layer 2? Is this a 
> >new requirement for 802.11?
> 
> Not only would it allow you to obtain a TGT, it would also allow you to 
> use an existing TGT to get a "service ticket" for network access.  This is 
> probably the less-likely scenario though, since talking to a KDC requires 
> network access in the first place.

Think fast reconnection...  Not such an unlikely scenario, IMO :)

But the TGT could, and I expect would be useful after all the EAP
business is done.

Think of an IPsec VPN client that uses IKEv2 w/ EAP w/ EAP-IAKERB to
connect to the SG and which then also needs a TGT for other services in
the private network once the tunnel is up.  Here Kerberos V credentials
are useful for obtaining network access and also for obtaining access to
many other services one the network is up.

> Another interesting idea would be to treat each 802.11i AP as a service, 
> and you could obtain service tickets for them as you roam.

Again, "fast reconnect."  The first connection requires an AS exchange
to get a TGT and a TGS exchange to get a service ticket, plus an AP
exchange to authenticate with the AP (oops, too many meanings for 'AP');
subsequent connections to the same AP prior to service ticket expiration
require only an AP exchange.

> >- Would PKINIT really be an advantage for EAP?! The point with PKINIT is 
> >that it supports authentication of the client with public key 
> >cryptography. But isn't this already covered by EAP-TLS?
> 
> Well it gets you a TGT.  As long as you think getting a TGT is a good 
> idea, then PKINIT would seem useful.

Indeed.

Nico
-- 

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech