[Emu] Thoughts on Password-based EAP Methods

To: emu at ietf.org
Subject: [Emu] Thoughts on Password-based EAP Methods
From: "Bernard Aboba" <bernard_aboba at hotmail.com>
Date: Tue, 27 Mar 2007 08:07:19 -0700
Bcc:
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE503713D12@xmb-sjc-225.amer.cisco.com>
List-archive: <http://www1.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>

After listening to the IETF 68 presentation on a password-based EAP method, I would like to voice some concerns.

Today we already have an "over abundance" of such methods. These include PEAPv0, PEAPv1, EAP-TTLSv0, EAP-TTLSv1, and EAP-FAST. In my discussions with customers, I invariably hear complaints about this explosion, and about various interoperability and compatibility problems that it causes. Simply put, customers do not want "yet another password-based EAP method"; they want a single method that is widely implemented and interoperable.

I am concerned that by defining yet another password-based authentication mechanism, EMU WG will be making this problem worse, not better. Creating yet another mechanism which differs little from the existing ones also seems to have very little chance of being implemented.

There is a better alternative that EMU WG should consider. This is to choose an existing method for inclusion on the IETF Standards Track, rather than creating a new one. In order to maintain backward compatibility, this would require that the owners give up change control to the IETF.

I would suggest that the best candidate for this would be EAP-TTLSv0, since it is very widely implemented, and has an existing certification program in WFA. Also, EAP-TTLSv0 had previously been on the Standards Track in the PPPEXT WG, before work on EAP methods was removed from the PPPEXT WG charter and the EAP WG was formed.

In terms of steps to be taken, this would require the following actions:

a. Review and publication of the existing EAP-TTLSv0 specification as an RFC. The goal here would be to document EAP-TTLSv0 as it exists today.

b. Agreement by the authors to give up change control to the IETF.

c. EMU WG efforts to publish an EAP-TTLSv0 "bis" document, specifying additional capabilities (such as Channel Bindings).

_______________________________________________
Emu mailing list
Emu at ietf.org
https://www1.ietf.org/mailman/listinfo/emu

Follow-Ups:
- RE: [Emu] Thoughts on Password-based EAP Methods
  - From: Joseph Salowey \(jsalowey\)
- RE: [Emu] Thoughts on Password-based EAP Methods
  - From: Hao Zhou \(hzhou\)

References:
- [Emu] Presentations for EMU
  - From: Joseph Salowey \(jsalowey\)

Prev by Date: [Emu] AES CBC vs CTR
Next by Date: [Emu] Re: Thoughts on Password-based EAP Methods
Previous by thread: [Emu] Presentations for EMU
Next by thread: RE: [Emu] Thoughts on Password-based EAP Methods
Index(es):
- Date
- Thread

[Emu] Thoughts on Password-based EAP Methods

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.