OK good points. I can see the problem with the authentication server wording. I think EAP server is more correct in this case as it leaves deployment options open. Is the text OK if we change Authentication Server to EAP server in this paragraph?
Joe > -----Original Message----- > From: Alan DeKok [mailto:al...@deployingradius.com] > Sent: Friday, December 04, 2009 10:00 AM > To: Joseph Salowey (jsalowey) > Cc: Dan Harkins; emu@ietf.org > Subject: Re: [Emu] Issue #7: Password Authentication > > Joseph Salowey (jsalowey) wrote: > > This section is about transporting clear text usernames and > passwords > > within the tunnel, so password transport requirement needs > to stay. > > I'm fine with more accurate text for describing the attacks. I > > propose the following text: > > > > "The tunnel method MUST support transporting clear text > username and > > password to the authentication server. It MUST NOT reveal > information > > about the username and password to parties in the > communication path > > between the peer and the EAP Server. The advantage any > attacker gains > > against the tunneled method when employing a username and > password for > > authentication MUST be through interaction and not computation. " > > The first sentence refers to "authentication server", while > the second uses "EAP server". I suggest using "EAP server" > for both, as it is used elsewhere in the document, too. > > Alan DeKok. > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
