Hello, Perhaps it would be a good idea to mandate that the method used to authenticate the tunnel (outer method, whatever you want to call it) MUST NOT be susceptible to a dictionary attack if it is going to be used to transport a username and plaintext password to the authentication server.
regards, Dan. On Wed, August 5, 2009 1:25 pm, Joseph Salowey (jsalowey) wrote: > > #7: Password Authentication > > > Section 3.1 Password Authentication > > > > " Many legacy systems only support user authentication with > > passwords. > > Some of these systems require transport of the actual username and > > password to the authentication server. The tunnel method > > MUST support > > this use case." > > > > As currently worded, this statement is somewhat vague. > > Is this statement implying that a tunnel method must support > > password-only authentication (e.g. no certificates)? If so, > is there > a requiremnent to support weak passwords or just > pre-shared keys? > > [Joe] Perhaps this can be clarified by saying: > > "The tunnel method MUST support transporting username and password to > the authentication server." > > > Would a tunnel method utilizing a server certificate to > create a > tunnel, and doing password authentication within the > tunnel meet this > requirement? What about a tunnel method > utilizing a pre-shared key > ciphersuite? > > > [Joe] If the tunnel method can transport the username and password to > the authentication server securely it would meet the requirement, > however if you already have a pre-shared key that is sufficient to > establish the tunnel it is not clear why you would need to do password > authentication. > > > " However, it MUST NOT expose the username and password to parties > in > > the communication path between the peer and the EAP Server and it > > MUST provide protection against man-in-the-middle and dictionary > > attacks." > > > > Does this requirement apply to provisioning or just to > ongoing > password authentication? > > > [Joe] This section is talking about ongoing password authentication. > > -- > Ticket URL: <http://trac.tools.ietf.org/wg/emu/trac/ticket/7> > emu <http://tools.ietf.org/wg/emu/> > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
