Re: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Shumon Huque <shuque@isc.upenn.edu> Mon, 22 August 2005 11:41 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7Ag4-0006lh-BA; Mon, 22 Aug 2005 07:41:20 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7Ag1-0006lZ-SY for secmech@megatron.ietf.org; Mon, 22 Aug 2005 07:41:18 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA08128 for <secmech@ietf.org>; Mon, 22 Aug 2005 07:41:16 -0400 (EDT)
Received: from talkeetna.isc-net.upenn.edu ([128.91.197.188]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E7BGY-0005ia-Bl for secmech@ietf.org; Mon, 22 Aug 2005 08:19:04 -0400
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id A6B34443B; Mon, 22 Aug 2005 07:41:12 -0400 (EDT)
Date: Mon, 22 Aug 2005 07:41:12 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: t.otto@sharevolution.de
Subject: Re: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Message-ID: <20050822114112.GA343@isc.upenn.edu>
References: <5057734.1124708889160.JavaMail.servlet@kundenserver>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5057734.1124708889160.JavaMail.servlet@kundenserver>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

On Mon, Aug 22, 2005 at 01:08:09PM +0200, t.otto@sharevolution.de wrote:
> 
> There already exists a Kerberos extension to TLS, RFC 2712 (Oct.99),
> which can be run in EAP-TLS, so the question is: 
> 
> * Is there need for EAP-Kerberos at all? * 

RFC 2712 doesn't provide for initial and service ticket 
acquisition. So, at the very least an EAP method that
allows you to do that needs to be developed.

> So before all, we should investigate in how far EAP-Kerberos improves
> the TLS-based solution. 
> 
> For instance, the mandatory resistance to dictionary attacks. Thomas Wu
> has given in his Kerberos paper a hint how to mitigate this, however,
> even if there is a strong-password protocol without IPR claims,
> strong password methods suffer in general from heavy computation and thus
> the EAP method would have worse performance.

That's true. But as long as performance is good enough, it
might be okay. It's probably certainly an issue for handheld
devices needing to use it.

--Shumon.

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech