RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Josh Howlett <josh.howlett@bristol.ac.uk> Fri, 26 August 2005 14:38 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8fLn-00021z-T3; Fri, 26 Aug 2005 10:38:35 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8fLm-00021u-Jv for secmech@megatron.ietf.org; Fri, 26 Aug 2005 10:38:34 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24097 for <secmech@ietf.org>; Fri, 26 Aug 2005 10:38:32 -0400 (EDT)
Received: from dirg.bris.ac.uk ([137.222.10.102]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8fMQ-0000OA-7g for secmech@ietf.org; Fri, 26 Aug 2005 10:39:21 -0400
Received: from isis.bris.ac.uk ([137.222.10.63]) by dirg.bris.ac.uk with esmtp (Exim 4.51) id 1E8fJp-0001yG-AS; Fri, 26 Aug 2005 15:36:35 +0100
Received: from cumulus.cse.bris.ac.uk ([137.222.12.162]) by isis.bris.ac.uk with esmtp (Exim 4.51) id 1E8fI4-0002Q5-9v; Fri, 26 Aug 2005 15:34:47 +0100
Date: Fri, 26 Aug 2005 15:34:43 +0100
From: Josh Howlett <josh.howlett@bristol.ac.uk>
To: Bernard Aboba <aboba@internaut.com>, "Salowey, Joe" <jsalowey@cisco.com>
Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Message-ID: <191B6A09CAEEC043419A68E5@cumulus>
In-Reply-To: <Pine.LNX.4.61.0508252336520.5325@internaut.com>
References: <7210B31550AC934A8637D6619739CE6905C8BEEC@e2k-sea-xch2.sea-alpha. cisco.com> <Pine.LNX.4.61.0508252336520.5325@internaut.com>
Originator-Info: login-token=Mulberry:01S4pTya3/vS+O85kohaz6gDyIAYcii7C4tTt//ocge3n/vg==; token_authority=postmaster@bristol.ac.uk
X-Mailer: Mulberry/3.1.5 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: -2.8
X-Spam-Level: --
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a
Content-Transfer-Encoding: 7bit
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Josh Howlett <josh.howlett@bristol.ac.uk>
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org


--On Thursday, August 25, 2005 23:40:04 -0700 Bernard Aboba 
<aboba@internaut.com> wrote:
>> It could also be possible to still involve a AAA and have it terminate
>> the method and talk to the KDC. If you are trying to implement a method
>> that is evaluated by both the NAS and the AAA in the same transaction
>> you are really doing something other than EAP.
>
> In all the EAP Kerberos proposals I've seen the method is terminated on
> either the NAS or AAA server, but not both.  But in any scenario, the
> NAS still needs to support Kerberos, in order to validate the "network
> access" service ticket.

Just to clarify - it would be possible for the AAA server to authenticate 
against the KDC and return an EAP-Success to the NAS as per other EAP 
types, without the NAS needing to understand Kerberos. However, the NAS 
would need to understand Kerberos in order to allow a service ticket to be 
used for, ie, fast reconnect (...which is undesirable for secret hygene).

Right?

josh.

-- 
-----------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: josh.howlett@bris.ac.uk
------------------------------------------------------------

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech