Hi Joe, I like your suggestion. Using "EAP server" would satisfy my concern.
thanks, Dan. On Fri, December 4, 2009 11:56 am, Joseph Salowey (jsalowey) wrote: > OK good points. I can see the problem with the authentication server > wording. I think EAP server is more correct in this case as it leaves > deployment options open. Is the text OK if we change Authentication > Server to EAP server in this paragraph? > > Joe > >> -----Original Message----- >> From: Alan DeKok [mailto:al...@deployingradius.com] >> Sent: Friday, December 04, 2009 10:00 AM >> To: Joseph Salowey (jsalowey) >> Cc: Dan Harkins; emu@ietf.org >> Subject: Re: [Emu] Issue #7: Password Authentication >> >> Joseph Salowey (jsalowey) wrote: >> > This section is about transporting clear text usernames and >> passwords >> > within the tunnel, so password transport requirement needs >> to stay. >> > I'm fine with more accurate text for describing the attacks. I >> > propose the following text: >> > >> > "The tunnel method MUST support transporting clear text >> username and >> > password to the authentication server. It MUST NOT reveal >> information >> > about the username and password to parties in the >> communication path >> > between the peer and the EAP Server. The advantage any >> attacker gains >> > against the tunneled method when employing a username and >> password for >> > authentication MUST be through interaction and not computation. " >> >> The first sentence refers to "authentication server", while >> the second uses "EAP server". I suggest using "EAP server" >> for both, as it is used elsewhere in the document, too. >> >> Alan DeKok. >> > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
