Re: [SECMECH] Summary of IETF63 secmech BOF
Charles Clancy <clancy@cs.umd.edu> Thu, 04 August 2005 08:40 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.32)
id 1E0bHJ-0005zm-95; Thu, 04 Aug 2005 04:40:37 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org)
by megatron.ietf.org with esmtp (Exim 4.32) id 1E0bHG-0005zh-T1
for secmech@megatron.ietf.org; Thu, 04 Aug 2005 04:40:35 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1])
by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA12404
for <secmech@ietf.org>; Thu, 4 Aug 2005 04:40:32 -0400 (EDT)
Received: from carrierpigeon.cs.umd.edu ([128.8.129.58])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0bo5-0005TU-30
for secmech@ietf.org; Thu, 04 Aug 2005 05:14:32 -0400
Received: from ismene (ismene.cs.umd.edu [128.8.126.62])
by carrierpigeon.cs.umd.edu (8.12.10/8.12.5) with ESMTP id
j748eIfD005811
for <secmech@ietf.org>; Thu, 4 Aug 2005 04:40:18 -0400 (EDT)
Date: Thu, 4 Aug 2005 04:35:19 -0400 (EDT)
From: Charles Clancy <clancy@cs.umd.edu>
X-X-Sender: clancy@ismene
To: secmech@ietf.org
Subject: Re: [SECMECH] Summary of IETF63 secmech BOF
In-Reply-To: <7210B31550AC934A8637D6619739CE6905A0DD92@e2k-sea-xch2.sea-alpha.cisco.com>
Message-ID: <Pine.GSO.4.60.0508040413340.13855@ismene>
References: <7210B31550AC934A8637D6619739CE6905A0DD92@e2k-sea-xch2.sea-alpha.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc:
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>,
<mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>,
<mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org
> Next Steps / Action Items > -------------------------- > 1. Collect the requirements we have for EAP methods and select a (1 - 3) > types of mechanisms to support. I'd suggest the so-called "Housley Criteria", as documented by section 6.2 of draft-ietf-eap-keying, and expanded on in section 4 of draft-housley-aaa-key-mgmt as a good set of technical requirements. These are a superset of the WLAN EAP requirements (RFC 4017). These include: * Extensible ciphersuite * Establish strong, fresh session keys * Maintain algorithm independence * Include replay detection mechanism * Authenticate all parties * Maintain confidentiality of authenticator * No plaintext passwords * Perform client and NAS authorization * Maintain confidentiality of session keys * Confirm selection of "best" ciphersuite * Uniquely name session keys * Compromise of a single NAS cannot compromise any other part of the system, including session keys and long-term keys * Bind key to appropriate context As for methods to select, I proposed EAP-PAX (draft-clancy-eap-pax) and EAP-TLS (RFC 2716). EAP-PAX is a non-tunneled, shared-key method supporting key management, provisioning, and identity protection. It satisfies all the aforementioned requirements. EAP-TLS would require some minor updates to meet the requirements, but would make a solid public-key standards-track method. [ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ] [ computer science ]-----[ university of maryland | college park ] _______________________________________________ SECMECH mailing list SECMECH@lists.ietf.org https://www1.ietf.org/mailman/listinfo/secmech
- [SECMECH] Summary of IETF63 secmech BOF Salowey, Joe
- Re: [SECMECH] Summary of IETF63 secmech BOF Charles Clancy