Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Charles Clancy <> Wed, 17 August 2005 22:20 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E5WH1-0001kk-95; Wed, 17 Aug 2005 18:20:39 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E5WGz-0001hX-19 for; Wed, 17 Aug 2005 18:20:37 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id SAA07213 for <>; Wed, 17 Aug 2005 18:20:34 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.43) id 1E5WqY-0008UV-Vx for; Wed, 17 Aug 2005 18:57:26 -0400
Received: from ismene ( []) by (8.12.10/8.12.5) with ESMTP id j7HMJIfD009154; Wed, 17 Aug 2005 18:19:18 -0400 (EDT)
Date: Wed, 17 Aug 2005 18:14:07 -0400 (EDT)
From: Charles Clancy <>
X-X-Sender: clancy@ismene
To: "Salowey, Joe" <>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <>
Message-ID: <Pine.GSO.4.60.0508171418010.13012@ismene>
References: <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Mechanism Bridges sounds like a hack to me.

IMHO, Framework Bindings sounds like the way to go.  It gives you more 
control over which mechanisms are used in which frameworks.  Each 
framework has a different threat model, and not all mechanisms from one 
framework may be good in another.  For example, using basic krb5 in 
802.11i-EAP is a bad idea because of dictionary attacks.

[ t. charles clancy ]--[ ]--[ ]
[ computer science ]-----[ university of maryland | college park ]

On Tue, 16 Aug 2005, Salowey, Joe wrote:

> At the secmch BOF Nico introduced the following two approaches towards
> achieve generally usable authentication mechanisms: Framework Binding
> and Mechanism bridges.  I'd like to see if there is understanding of the
> two approaches and a consensus on how to approach the problem.
> Framework Bindings - the framework bindings approach requires that when
> a mechanism is specified it is specified as a mechanism in the
> frameworks of GSS-API, SASL and EAP.  The specification would have to
> define functionality to meet a superset of all the requirements for each
> framework and then define how the mechanism integrates with (or is bound
> to) each framework.
> Mechanism Bridges - in the mechanism bridges approach a specialized
> mechanisms is used to map all mechanisms in one framework into another
> framework.  A example of this exists in SASL where there is a mechanism
> defined that makes available all GSS-API mechanisms available in the
> SASL framework.  It should be possible to create a bridge mechanism that
> makes GSS-API mechanisms into EAP mechanisms and vice versa at least for
> a subset of mechanisms.  The bridge mechanism itself may provide some
> functionality that is not available in a particular framework.  For
> example an EAP to GSS bridge mechanism may provide a generic security
> layer that uses the EAP master session key (MSK) to establish a security
> context and provide a security layer between the GSS initiator and GSS
> acceptor.
> The answer may lie somewhere between these two approaches.  Comments?
> Joe
> _______________________________________________
> SECMECH mailing list

SECMECH mailing list