Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

[Nicolas Williams <Nicolas.Williams@sun.com>]

On Mon, Aug 22, 2005 at 12:18:08AM -0400, Shumon Huque wrote:
> On Sat, Aug 20, 2005 at 12:58:41AM -0500, Nicolas Williams wrote:
> > On Fri, Aug 19, 2005 at 11:10:35PM -0400, Shumon Huque wrote:
> > > I think the Kerberos community needs to work on standardizing password 
> > > based pre-authentication mechanisms invulnerable to dictionary attack 
> > > (perhaps EKE, AEKE, SPEKE, SRP etc). Hardware pre-authentication
> > > mitigates the threat somewhat. But PKINIT isn't really an option for 
> > > the many sites that don't plan to authenticate users with public key 
> > > credentials (or deploy PKI).
> > 
> > Did you attend the SACRED WG meeting at IETF 63?
> 
> No, but I just read a summary of their session. The credential
> mobility stuff isn't really relevant to (non PKINIT) Kerberos
> sites. So I assume you are referring to the IPR issues with those
> protocols. It sounds like there might be some hope though!

The SACRED protocol wasn't the centerpiece of the meeting.  The issues
around strong password protocols, and alternatives, were.

> > > At one time, some of us were talking about an EAP method that
> > > transported Kerberos messages directly. It seems to me that putting
> > > some effort into completing that work would be immediately useful
> > > to Kerberos sites that need to deploy 802.1X or 802.11i soon.
> > 
> > Indeed.  That would be an example of framework bindings of a security
> > mechanisms, as opposed to EAP-GSS, which would be a bridge.
> 
> Agreed.
> 
> Some folks at Penn are interested in working on an EAP-Kerberos 
> method. Is there anyone else interested in this?

I'd help review, of course.

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech