Hi,
I just glanced over this draft. In section 12.1 each of the security
claims seems to refer to sections from the -08 version of the draft.
For instance,
Confidentiality: No (section 11.14 and 11.16)
where in the -08 draft sections 11.14 and 11.16 discuss ID protection
and confidentiality, respectively, but it's 12.15 and 12.17 in the -09
version. Am I misreading this somehow?
I also think that the security claims in 12.1 should explicitly spell
out whether they meet RFC 4017 requirements, like the charter says.
I'm glad that my comment on non-resistance to dictionary attack
was accepted. Thanks! But I still think that section is somewhat
ambiguous. It says, "Users who use passwords as the basis of their PSK
are not protected against dictionary attacks." Well, that's true but users
who do not use passwords as the basis of their PSK are also not protected
against dictionary attacks!
I'd like to suggest the following text for section 12.7:
The success of a dictionary attack against EAP-GPSK depends on
the strength of the long-term shared secret (PSK) it uses. The
PSK used by EAP-GPSK SHOULD be drawn from a pool of secrets that
is at least 2^128 bits large and whose distribution is uniformly
random. Note that this does not imply resistance to dictionary
attack, only that the probability of success in such an attack
is acceptably remote.
That is, I believe, fair, accurate, and unambiguous.
regards,
Dan.
On Fri, June 27, 2008 8:30 am, [EMAIL PROTECTED] wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the EAP Method Update Working Group of the
> IETF.
>
>
> Title : EAP Generalized Pre-Shared Key (EAP-GPSK) Method
> Author(s) : C. Clancy, H. Tschofenig
> Filename : draft-ietf-emu-eap-gpsk-09.txt
> Pages : 38
> Date : 2008-06-27
>
> This Internet Draft defines an Extensible Authentication Protocol
> method called EAP Generalized Pre-Shared Key (EAP-GPSK). This method
> is a lightweight shared-key authentication protocol supporting mutual
> authentication and key derivation.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-emu-eap-gpsk-09.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
> _______________________________________________
> Emu mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/emu
>
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
