#7: Password Authentication > Section 3.1 Password Authentication > > " Many legacy systems only support user authentication with > passwords. > Some of these systems require transport of the actual username and > password to the authentication server. The tunnel method > MUST support > this use case." > > As currently worded, this statement is somewhat vague. > Is this statement implying that a tunnel method must support > password-only authentication (e.g. no certificates)? If so, > is there a requiremnent to support weak passwords or just > pre-shared keys?
[Joe] Perhaps this can be clarified by saying: "The tunnel method MUST support transporting username and password to the authentication server." > Would a tunnel method utilizing a server certificate to > create a tunnel, and doing password authentication within the > tunnel meet this requirement? What about a tunnel method > utilizing a pre-shared key ciphersuite? > [Joe] If the tunnel method can transport the username and password to the authentication server securely it would meet the requirement, however if you already have a pre-shared key that is sufficient to establish the tunnel it is not clear why you would need to do password authentication. > " However, it MUST NOT expose the username and password to parties in > the communication path between the peer and the EAP Server and it > MUST provide protection against man-in-the-middle and dictionary > attacks." > > Does this requirement apply to provisioning or just to > ongoing password authentication? > [Joe] This section is talking about ongoing password authentication. -- Ticket URL: <http://trac.tools.ietf.org/wg/emu/trac/ticket/7> emu <http://tools.ietf.org/wg/emu/> _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
