December 04, 2009 10:00 AM
>> To: Joseph Salowey (jsalowey)
>> Cc: Dan Harkins; emu@ietf.org
>> Subject: Re: [Emu] Issue #7: Password Authentication
>>
>> Joseph Salowey (jsalowey) wrote:
>> > This section is about transporting clear text usernames and
>> passw
: Alan DeKok [mailto:al...@deployingradius.com]
> Sent: Friday, December 04, 2009 10:00 AM
> To: Joseph Salowey (jsalowey)
> Cc: Dan Harkins; emu@ietf.org
> Subject: Re: [Emu] Issue #7: Password Authentication
>
> Joseph Salowey (jsalowey) wrote:
> > This section is
Joseph Salowey (jsalowey) wrote:
> This section is about transporting clear text usernames and passwords
> within the tunnel, so password transport requirement needs to stay. I'm
> fine with more accurate text for describing the attacks. I propose the
> following text:
>
> "The tunnel method MUS
--
>> From: Alan DeKok [mailto:al...@deployingradius.com]
>> Sent: Thursday, December 03, 2009 11:36 PM
>> To: Dan Harkins
>> Cc: Joseph Salowey (jsalowey); emu@ietf.org
>> Subject: Re: [Emu] Issue #7: Password Authentication
>>
>> Dan Harkins wrote:
>>
entication MUST be through interaction and not computation. "
Cheers,
Joe
> -Original Message-
> From: Alan DeKok [mailto:al...@deployingradius.com]
> Sent: Thursday, December 03, 2009 11:36 PM
> To: Dan Harkins
> Cc: Joseph Salowey (jsalowey); emu@ietf.org
> Subj
Dan Harkins wrote:
> A "clear-text" password will have to be sent "in the tunnel" because
> otherwise authentication would not be possible!
There are many authentication protocols which do not require the
sending of a clear-text password. CHAP, MS-CHAP, EKE, SRP, or your own
proposal. So I'm
Alan,
You are misrepresenting my concerns with this draft and (intentionally)
misunderstanding my post.
On Thu, December 3, 2009 1:20 pm, Alan DeKok wrote:
> The document states a clear requirement: the tunneled method MUST be
> capable of sending clear-text passwords in the tunnel.
A "
The document states a clear requirement: the tunneled method MUST be
capable of sending clear-text passwords in the tunnel.
You agree that the attacks against this requirement are adequately
covered by existing text in the document:
http://www.ietf.org/mail-archive/web/emu/current/msg01327.ht
On Thu, December 3, 2009 12:24 pm, Alan DeKok wrote:
> Dan Harkins wrote:
>> I refer you to my previous statements made on this list for my
>> concerns with the document which are current and unaddressed.
>
> I asked for clarification, and you claim that my attempts to discuss
> those clarifi
Dan Harkins wrote:
> I refer you to my previous statements made on this list for my
> concerns with the document which are current and unaddressed.
I asked for clarification, and you claim that my attempts to discuss
those clarifications are "tangents" and "straw men".
This doesn't make me
Once again Alan, you are wrong. Your previous summary went off on
tangents, made statements that were irrelevant and inferred things
that I never said. Responding to it would not be productive. I have
made my comments on the draft and stand by them.
I refer you to my previous statements made
Dan Harkins wrote:
>
>
>I refer the right-honourable gentleman to the answer I gave
>some moments ago.
>
>
Since there has been no new information, I can only conclude that my
previous summary was correct, and that you have no additional concerns
with the document.
Alan DeKok.
___
I refer the right-honourable gentleman to the answer I gave
some moments ago.
On Thu, December 3, 2009 2:53 am, Alan DeKok wrote:
> Dan Harkins wrote:
>> You are wrong.
>
> Are you opposed to sending clear-text passwords in the tunnel?
>
> Alan DeKok.
>
_
Dan Harkins wrote:
> You are wrong.
Are you opposed to sending clear-text passwords in the tunnel?
Alan DeKok.
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
You are wrong. But let me just give my best John Major impression
from "Prime Minister's Question Time":
I refer the right-honourable gentleman to the answer I gave
some moments ago.
On Wed, December 2, 2009 10:50 pm, Alan DeKok wrote:
> Dan Harkins wrote:
>> Slicing up my posts an
Dan Harkins wrote:
> Slicing up my posts and building up a straw man army is very
> distracting. You attempted to help by adding my comment to the
> problematic text. That didn't help, thanks for the effort though.
You brought up specific concerns, and I pointed out that the document
already a
Alan,
Slicing up my posts and building up a straw man army is very
distracting. You attempted to help by adding my comment to the
problematic text. That didn't help, thanks for the effort though.
Joe, Katrin, Steve, my comment remains. There is a property we need
in the tunnel method and t
Dan Harkins wrote:
> My heartburn over the "MUST tranport the username and password" text
> is that it seems to be mandating some particular deployment and not
> mandating functionality.
Any authentication system that stores passwords has a limited set of
choices. They can store clear-text, o
Hi Alan,
My heartburn over the "MUST tranport the username and password" text
is that it seems to be mandating some particular deployment and not
mandating functionality. The introductory text talks about cases where
the authentication server does not have cleartext access to, or a
consistent
Dan Harkins wrote:
> Yes, I can propose a specific modification. In fact, I did already.
It wasn't clear that the text was the suggested replacement.
> It just got truncated from the thread. What I suggest is that in
> section 3.1, in the middle of the first paragraph (the text that Joe
> was
Alan,
Yes, I can propose a specific modification. In fact, I did already.
It just got truncated from the thread. What I suggest is that in
section 3.1, in the middle of the first paragraph (the text that Joe
was quoting originally), remove this:
"The tunnel method MUST support transporti
Dan Harkins wrote:
> The text says the method
> "MUST NOT expose" the username and password. The word "expose" is not
> defined and is very vague and open to interpretations that would result
> in an insecure protocol. I think there is a property in a properly modeled
> protocol that could replace
Hi Alan,
On Tue, December 1, 2009 2:03 am, Alan DeKok wrote:
> Dan Harkins wrote:
>> I guess it depends on what you mean by "expose". If it means a kind
>> of flashing-- here's the username and password!-- then no this is not
>> sufficient. Such an exposure is certainly a problem but popular
Dan Harkins wrote:
> I guess it depends on what you mean by "expose". If it means a kind
> of flashing-- here's the username and password!-- then no this is not
> sufficient. Such an exposure is certainly a problem but popular ways to
> get around this exposure are not satisfactory. What I'm sayi
n."
>
> Is there any modification necessary?
>
> Joe
>
>> -Original Message-
>> From: Alan DeKok [mailto:al...@deployingradius.com]
>> Sent: Thursday, August 06, 2009 1:00 PM
>> To: Dan Harkins
>> Cc: Joseph Salowey (jsalowey); emu@ietf.org
>
9 1:00 PM
> To: Dan Harkins
> Cc: Joseph Salowey (jsalowey); emu@ietf.org
> Subject: Re: [Emu] Issue #7: Password Authentication
>
> Dan Harkins wrote:
> > Perhaps it would be a good idea to mandate that the
> method used to
> > authenticate the tunnel (outer meth
Dan Harkins wrote:
> Perhaps it would be a good idea to mandate that the method used
> to authenticate the tunnel (outer method, whatever you want to call
> it) MUST NOT be susceptible to a dictionary attack if it is going
> to be used to transport a username and plaintext password to the
> authe
Hello,
Perhaps it would be a good idea to mandate that the method used
to authenticate the tunnel (outer method, whatever you want to call
it) MUST NOT be susceptible to a dictionary attack if it is going
to be used to transport a username and plaintext password to the
authentication server.
28 matches
Mail list logo
