Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Shumon Huque <shuque@isc.upenn.edu> Thu, 25 August 2005 15:19 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8JVu-0000aQ-IP; Thu, 25 Aug 2005 11:19:34 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8JVs-0000aL-Sd for secmech@megatron.ietf.org; Thu, 25 Aug 2005 11:19:33 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22599 for <secmech@ietf.org>; Thu, 25 Aug 2005 11:19:30 -0400 (EDT)
Received: from talkeetna.isc-net.upenn.edu ([128.91.197.188]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8JWO-0006D8-JC for secmech@ietf.org; Thu, 25 Aug 2005 11:20:07 -0400
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 2434E4477; Thu, 25 Aug 2005 11:19:23 -0400 (EDT)
Date: Thu, 25 Aug 2005 11:19:23 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Jari Arkko <jari.arkko@piuha.net>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Message-ID: <20050825151922.GA29211@isc.upenn.edu>
References: <7210B31550AC934A8637D6619739CE6905C06510@e2k-sea-xch2.sea-alpha.cisco.com> <Pine.GSO.4.60.0508191330380.16954@ismene> <20050819210308.GI6659@binky.Central.Sun.COM> <20050820031035.GA5352@isc.upenn.edu> <43074F76.8000604@cs.umd.edu> <20050822044255.GC27685@isc.upenn.edu> <430DCD61.1090109@piuha.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <430DCD61.1090109@piuha.net>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906
Cc: secmech@ietf.org, Nicolas Williams <Nicolas.Williams@sun.com>
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

On Thu, Aug 25, 2005 at 04:53:37PM +0300, Jari Arkko wrote:
> Shumon Huque wrote:
> 
> >I'm also not a fan of automatically assuming that a tunnel is the 
> >right solution for many problems. If we are tunnelling in TLS for 
> >example, I now have additional issues to deal with. Such as how to 
> >query up-to-date certificate revocation status, and whether my 
> >users are properly validating the certificates etc.
> > 
> >
> Given choice, I'd rather have a well-design fully
> capable mechanisms than a tunnel + a mechanism
> that needs to run inside the tunnel.
> 
> --Jari

I completely agree. However, current options don't look good 
for Kerberos 5, unless a strong password based pre-authentication
mechanism is developed. So, I'm willing to endorse the scheme
of running Kerberos inside TLS, at least as an interim measure
(ala Tom Clancy's recent diagram).

--Shumon.

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech