On Tue, Apr 12, 2011 at 2:39 PM, Dan Harkins <dhark...@lounge.org> wrote: > On Tue, April 12, 2011 11:53 am, Nico Williams wrote: >> On Tue, Apr 12, 2011 at 1:01 PM, Dan Harkins <dhark...@lounge.org> wrote: >>> On Tue, April 12, 2011 7:38 am, Nico Williams wrote: >>>> I don't get the hostility to pluggable authentication architectures. >>>> Why on Earth should any of us dictate to users what kinds of >>>> authentication infrastructures they must have? >>> >>> We do that when we ship support for some authentication credential >>> in product. Whether it's a particular EAP method or a TLS ciphersuite >>> or support for particular authentication method in IKE. >> >> Who ships credentials? Customers control credentials, not vendors. >> (The only exception is default trust anchors, which are a sort of >> credential.) > > I said _support_ some credential, not ship the credential. If your > product supports EAP-SIM then what I'm saying is you are "dictating to > users what kind of authentication infrastructure they must have", namely > one that supports SIM cards.
Oops, sorry I misread that. >> I'm not fond of the proliferation of authentication frameworks. If >> you thought I was, you misunderstood. I'd rather see one framework >> win (which is why we did the SASL/GS2 bridge to GSS-API mechanisms). >> We have all the frameworks that we have because historically various >> groups created them independently, often as a generalization of the >> reality that various protocols were pluggable but without a generic >> framework (this is true of EAP and SASL). And here Tero is proposing >> yet another pluggable framework. >> >> Tero's proposal: create a new pluggable authentication framework. >> My proposal: pick an off-the-shelf framework. >> >> Your proposal: ?? Force a single authentication mechanism on all? > > No no, not at all. Robust and misuse resistance is my proposal. Using > the best technique directly in the protocol for the chosen credential. > If you want to use certificates then use a certificates in the exchange. > If you want to use a password then use a password in the exchange. But > "lets use X" where X is some pluggable framework is definitely not > my proposal. "If you want to use certs then use certs... if you want to use passwords then use passwords ..." implies an authentication framework with at least two authentication mechanisms (and negotiation!). So you're for at least one authentication framework. Only you weren't aware of it. Or what did I miss this time? :) Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
