Sorry Dan, Is EAP-pwd using the password for mutual authentication?
> -----Original Message----- > From: emu-boun...@ietf.org [mailto:emu-boun...@ietf.org] On Behalf Of > Hoeper Katrin-QWKN37 > Sent: Wednesday, March 03, 2010 4:28 PM > To: Dan Harkins > Cc: emu@ietf.org > Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > > How does that authenticate the server if a user enters a password? > > If the server says, yes that was the right password? > > > > > -----Original Message----- > > From: Dan Harkins [mailto:dhark...@lounge.org] > > Sent: Wednesday, March 03, 2010 4:14 PM > > To: Hoeper Katrin-QWKN37 > > Cc: Dan Harkins; Joseph Salowey; emu@ietf.org > > Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > > > > > > Since they both use the same low-entropy password to perform their > > mutual authentication it is not, strictly speaking, just the peer's > > credential. > > > > Dan. > > > > On Wed, March 3, 2010 1:45 pm, Hoeper Katrin-QWKN37 wrote: > > > > > > See inline. > > >> -----Original Message----- > > >> From: Dan Harkins [mailto:dhark...@lounge.org] > > >> Sent: Wednesday, March 03, 2010 3:39 PM > > >> To: Hoeper Katrin-QWKN37 > > >> Cc: Dan Harkins; Joseph Salowey; emu@ietf.org > > >> Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > > >> > > >> > > >> Hi Katrin, > > >> > > >> On Wed, March 3, 2010 12:31 pm, Hoeper Katrin-QWKN37 wrote: > > >> > Dan, > > >> > > > >> > OK, I understand that the tunnel provides all these other feats. > > >> > > > >> > But why can't the server authenticate during the tunnel protocol? > I > > >> > still don't understand the use case for mutually anonymous > tunnels. > > >> > > >> Because it doesn't have the right credential. > > >> > > >> > If the server has a certificate why can't it send it to the peer > > > before > > >> > or during the tunnel establishment? > > >> > > >> If the server has a certificate then sending it to the peer > > >> would not really solve any problem. The peer would still need to > > >> have a reason to trust it and we're back to the problem of putting > > >> a trusted certificate in some certificate store. A global PKI to > > >> solve all of our certificate issues still has not materialized. > > >> > > >> > If the peer and server share a secret, than this could be used to > > >> > establish the tunnel. > > >> > > >> If the peer and server share a secret they could use one of the > PSK > > >> ciphersuites for TLS but those are susceptible to a dictionary > attack > > >> and are therefore inappropriate. > > >> > > >> The tunnel is being established with EAP-TLS so we are limited to > > >> TLS ciphersuites and the authentication they provide. If a TLS > > > ciphersuite > > >> was appropriate always and everywhere then we would not need any > other > > >> EAP methods, we'd just do EAP-TLS. But that is not the case. Also > it > > > is > > >> a requirement to tunnel additional EAP methods inside the tunnel so > > >> obviously there are EAP methods that provide something that a TLS > > >> ciphersuite does not. > > >> > > >> > What I am saying is what kind of server authentication > credentials > > > could > > >> > be used inside an anonymous tunnel that could not be used to > > >> > authenticate the server in the tunnel protocol? (given that > privacy > > > is > > >> > not the issue) > > >> > > >> A low-entropy password that can easily be remembered and entered > by > > > a > > >> human with low probability of error. > > > [KH] I asked what kind of SERVER credentials not peer credentials. > > >> > > >> Dan. > > >> > > > > > > > > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
