Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Nicolas Williams <Nicolas.Williams@sun.com> Mon, 22 August 2005 15:30 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7EFu-0007li-0d; Mon, 22 Aug 2005 11:30:34 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7EFs-0007lA-Rf for secmech@megatron.ietf.org; Mon, 22 Aug 2005 11:30:32 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22918 for <secmech@ietf.org>; Mon, 22 Aug 2005 11:30:28 -0400 (EDT)
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E7EqQ-0004Y8-8J for secmech@ietf.org; Mon, 22 Aug 2005 12:08:19 -0400
Received: from centralmail2brm.Central.Sun.COM (centralmail2brm.central.sun.com [129.147.62.14]) by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id j7MFURWR002388 for <secmech@ietf.org>; Mon, 22 Aug 2005 09:30:27 -0600 (MDT)
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail2brm.Central.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL, v2.2) with ESMTP id j7MFUPLG005838 for <secmech@ietf.org>; Mon, 22 Aug 2005 09:30:27 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.13.3+Sun/8.13.3) with ESMTP id j7MFULR1008736; Mon, 22 Aug 2005 10:30:21 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.13.3+Sun/8.13.3/Submit) id j7MFUJcN008735; Mon, 22 Aug 2005 10:30:19 -0500 (CDT)
Date: Mon, 22 Aug 2005 10:30:19 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Shumon Huque <shuque@isc.upenn.edu>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Message-ID: <20050822153019.GC7789@binky.Central.Sun.COM>
References: <7210B31550AC934A8637D6619739CE6905C06510@e2k-sea-xch2.sea-alpha.cisco.com> <Pine.GSO.4.60.0508191330380.16954@ismene> <20050819210308.GI6659@binky.Central.Sun.COM> <20050820031035.GA5352@isc.upenn.edu> <20050820055834.GA7789@binky.Central.Sun.COM> <20050822041808.GB27685@isc.upenn.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050822041808.GB27685@isc.upenn.edu>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

On Mon, Aug 22, 2005 at 12:18:08AM -0400, Shumon Huque wrote:
> On Sat, Aug 20, 2005 at 12:58:41AM -0500, Nicolas Williams wrote:
> > On Fri, Aug 19, 2005 at 11:10:35PM -0400, Shumon Huque wrote:
> > > I think the Kerberos community needs to work on standardizing password 
> > > based pre-authentication mechanisms invulnerable to dictionary attack 
> > > (perhaps EKE, AEKE, SPEKE, SRP etc). Hardware pre-authentication
> > > mitigates the threat somewhat. But PKINIT isn't really an option for 
> > > the many sites that don't plan to authenticate users with public key 
> > > credentials (or deploy PKI).
> > 
> > Did you attend the SACRED WG meeting at IETF 63?
> 
> No, but I just read a summary of their session. The credential
> mobility stuff isn't really relevant to (non PKINIT) Kerberos
> sites. So I assume you are referring to the IPR issues with those
> protocols. It sounds like there might be some hope though!

The SACRED protocol wasn't the centerpiece of the meeting.  The issues
around strong password protocols, and alternatives, were.

> > > At one time, some of us were talking about an EAP method that
> > > transported Kerberos messages directly. It seems to me that putting
> > > some effort into completing that work would be immediately useful
> > > to Kerberos sites that need to deploy 802.1X or 802.11i soon.
> > 
> > Indeed.  That would be an example of framework bindings of a security
> > mechanisms, as opposed to EAP-GSS, which would be a bridge.
> 
> Agreed.
> 
> Some folks at Penn are interested in working on an EAP-Kerberos 
> method. Is there anyone else interested in this?

I'd help review, of course.

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech