See inline. > -----Original Message----- > From: Dan Harkins [mailto:dhark...@lounge.org] > Sent: Wednesday, March 03, 2010 3:39 PM > To: Hoeper Katrin-QWKN37 > Cc: Dan Harkins; Joseph Salowey; emu@ietf.org > Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > > > Hi Katrin, > > On Wed, March 3, 2010 12:31 pm, Hoeper Katrin-QWKN37 wrote: > > Dan, > > > > OK, I understand that the tunnel provides all these other feats. > > > > But why can't the server authenticate during the tunnel protocol? I > > still don't understand the use case for mutually anonymous tunnels. > > Because it doesn't have the right credential. > > > If the server has a certificate why can't it send it to the peer before > > or during the tunnel establishment? > > If the server has a certificate then sending it to the peer > would not really solve any problem. The peer would still need to > have a reason to trust it and we're back to the problem of putting > a trusted certificate in some certificate store. A global PKI to > solve all of our certificate issues still has not materialized. > > > If the peer and server share a secret, than this could be used to > > establish the tunnel. > > If the peer and server share a secret they could use one of the PSK > ciphersuites for TLS but those are susceptible to a dictionary attack > and are therefore inappropriate. > > The tunnel is being established with EAP-TLS so we are limited to > TLS ciphersuites and the authentication they provide. If a TLS ciphersuite > was appropriate always and everywhere then we would not need any other > EAP methods, we'd just do EAP-TLS. But that is not the case. Also it is > a requirement to tunnel additional EAP methods inside the tunnel so > obviously there are EAP methods that provide something that a TLS > ciphersuite does not. > > > What I am saying is what kind of server authentication credentials could > > be used inside an anonymous tunnel that could not be used to > > authenticate the server in the tunnel protocol? (given that privacy is > > not the issue) > > A low-entropy password that can easily be remembered and entered by a > human with low probability of error. [KH] I asked what kind of SERVER credentials not peer credentials. > > Dan. >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
