Hi Yaron, The existing text is just about restricting the mandatory to implement cipher suites. Are you OK with the text?
Thanks, Joe > -----Original Message----- > From: emu-boun...@ietf.org [mailto:emu-boun...@ietf.org] On Behalf Of > Yaron Sheffer > Sent: Wednesday, March 03, 2010 11:05 PM > To: Alan DeKok > Cc: emu@ietf.org > Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > > Hi Alan, > > Initial provisioning by shipping the device with the trust anchor pre- > installed is fine, if you're Verizon. But in many cases you don't control > the device, and don't have a trusted path through which to transport the > CA cert (I am thinking enterprise CA here, not a public CA). The > combination of anonymous tunnel plus mutual auth with a one-time password > allows you to do that. > > But I'm OK with not making this option mandatory, since there are > important use cases that don't need it. > > Thanks, > Yaron > > > -----Original Message----- > > From: Alan DeKok [mailto:al...@deployingradius.com] > > Sent: Thursday, March 04, 2010 8:47 > > To: Yaron Sheffer > > Cc: emu@ietf.org > > Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > > > > Yaron Sheffer wrote: > > > Joe, what Dan is proposing is a reasonable way to use a one-time > > password for the initial provisioning of a trust anchor. Initial > > provisioning is important for many types of deployments. Does the > > document allow an alternative secure way to do that? > > > > TLS-based methods can leverage server certificates. This is already > > done in other areas (WiMAX, etc.) > > > > i.e. ship a device with a known CA, and on first provisioning, TLS > > checks the server certificate, and the user validates that the name of > > the server is what was expected. > > > > Since the document doesn't forbid anonymous methods, the only issue > > here is whether or not the document should make them mandatory to > > implement. I agree with Joe, in that they shouldn't be mandatory. > > > > Alan DeKok. > > > > Scanned by Check Point Total Security Gateway. > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
