RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges

"Salowey, Joe" <jsalowey@cisco.com> Fri, 19 August 2005 17:27 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E6AeC-0002HK-On; Fri, 19 Aug 2005 13:27:16 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E6AeB-0002HC-Al for secmech@megatron.ietf.org; Fri, 19 Aug 2005 13:27:15 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18133 for <secmech@ietf.org>; Fri, 19 Aug 2005 13:27:11 -0400 (EDT)
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E6BEA-0000LI-3H for secmech@ietf.org; Fri, 19 Aug 2005 14:04:27 -0400
Received: from sj-core-2.cisco.com (171.71.177.254) by sj-iport-1.cisco.com with ESMTP; 19 Aug 2005 10:27:05 -0700
X-IronPort-AV: i="3.96,126,1122879600"; d="scan'208"; a="655707403:sNHT30166544"
Received: from E2K-SEA-XCH2.sea-alpha.cisco.com (e2k-sea-xch2.cisco.com [10.93.132.68]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id j7JHQuQM009302; Fri, 19 Aug 2005 10:26:57 -0700 (PDT)
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Date: Fri, 19 Aug 2005 10:31:51 -0700
Message-ID: <7210B31550AC934A8637D6619739CE6905C06510@e2k-sea-xch2.sea-alpha.cisco.com>
Thread-Topic: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Thread-Index: AcWje5iScRn68V51QMGyCrI9IainzwBZro4A
From: "Salowey, Joe" <jsalowey@cisco.com>
To: "Nicolas Williams" <Nicolas.Williams@sun.com>, "Charles Clancy" <clancy@cs.umd.edu>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
Content-Transfer-Encoding: quoted-printable
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

 
> From: Nicolas Williams [mailto:Nicolas.Williams@sun.com] 
> On Wed, Aug 17, 2005 at 06:14:07PM -0400, Charles Clancy wrote:
> > Mechanism Bridges sounds like a hack to me.
> > 
> > IMHO, Framework Bindings sounds like the way to go.  It 
> gives you more 
> > control over which mechanisms are used in which frameworks.  Each 
> > framework has a different threat model, and not all mechanisms from 
> > one framework may be good in another.  For example, using 
> basic krb5 
> > in 802.11i-EAP is a bad idea because of dictionary attacks.
> 
> Sure, but you could always do 
> krb5-over-TLS-with-cryptographic-bindings.
>

[Joe] How would this be instantiated?  Currently EAP does not run over a
specific security layer.  There are EAP mechanisms that provide a secure
tunnel for running other mechanisms.  Would an EAP to GSS bridge have to
be a tunneling method?
 

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech