RE: [Emu] EMU charter update,

To: "Dan Harkins" <dharkins at lounge.org>, <emu at ietf.org>
Subject: RE: [Emu] EMU charter update,
From: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Date: Tue, 22 Jan 2008 12:38:02 -0800
Authentication-results: sj-dkim-4; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc:
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=5148; t=1201034244; x=1201898244; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20[Emu]=20EMU=20charter=20update,=20 |Sender:=20; bh=Av5pEEC4t/eN3sl5ShBAzvlQiPk0+WVWXFCGEeDAPEA=; b=kuaLXvA86xBxpUQGZhyyVddOY0PZPru7yrTgCblpeflXsktxcCKouLHSjz 7jcMPsDOnqdoF+B9NF2dUES9tLOo+q1tOA00uT+SEaILgFV5tZayGtXL5Dm3 olQQjkdmBT;
In-reply-to: <4111.69.12.173.8.1200894973.squirrel@www.trepanning.net>
List-archive: <http://www1.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
Thread-index: Achb8ltNd/N03UhtRzGBnCq4EVA92wBQ3c3w
Thread-topic: [Emu] EMU charter update,

Hi Dan, 

> -----Original Message-----
> From: Dan Harkins [mailto:dharkins at lounge.org] 
> Sent: Sunday, January 20, 2008 9:56 PM
> To: emu at ietf.org
> Subject: RE: [Emu] EMU charter update, 
> 
> 
>   Hi Joe,
> 
>   Why are we stating that the PSK method must use a strong 
> shared secret and the method resistant to dictionary attack 
> must use the tunneled method? That seems odd. 

[Joe] The PSK is assumed to be a strong shared secret and is resistant
to dictionary attack.  

> How about 
> something along these lines:
> 
>   - A mechanism based on shared secrets that meets RFC 3748 and RFC
>   4017 requirements. This mechanism should strive to be 
> simple and compact
>   for implementation in resource constrained environments. Preference
>   will be given to solutions that can be used with a cryptographically
>   weak shared secret and that are resistant to dictionary attack.
> 
[Joe] This item of the charter is not open for revision.  The GPSK
document to meet this charter item is in IESG review at this time. 

> If a method based on a shared secret just so happened to not 
> require a cryptographically strong shared secret and was 
> resistant to dictionary attack I really hope EMU would accept 
> it and not say, "no, sorry that is too strong for us, our 
> charter mandates a much weaker solution." Of course if such a 
> solution was not, for whatever reason, acceptable to the 
> working group we could fall back on the "must be a strong 
> shared secret"
> requirement.
> 
>   The tunneled method should be resistant to dictionary 
> attack but if the non-tunneled one was also resistant to 
> dictionary attack wouldn't that be goodness?
> 
>   regards,
> 
>   Dan.
> 
> "Joseph Salowey (jsalowey)" <jsalowey at cisco.com> wrote
> > Below is a draft of the EMU charter that reflects 
> discussions we had 
> > at IETF 70.  Please review this and send comments.  I would like to 
> > have comments in by January 23, 2008.
> >
> > Thanks,
> >
> > Joe
> >
> > Description of Working Group:
> > The Extensible Authentication Protocol (EAP) [RFC 3748] is 
> a network 
> > access authentication framework used in the PPP, 802.11, 
> 802.16, VPN, 
> > PANA, and in some functions in 3G networks. EAP itself is a simple 
> > protocol and actual authentication happens in EAP methods.
> >
> > Over 40 different EAP methods exist. Most of these methods are 
> > proprietary methods and only a few methods are documented 
> in RFCs. The 
> > lack of documented, open specifications is a deployment and 
> > interoperability problem. In addition, none of the EAP 
> methods in the 
> > standards track implement features such as key derivation that are 
> > required for many modern applications. This poses a problem 
> for, among 
> > other things, the selection of a mandatory to implement EAP 
> method in 
> > new network access technologies. For example, no standards track 
> > methods meet new requirements such as those posed in RFC 
> 4017, which 
> > documents IEEE 802.11 requirements for EAP methods.
> >
> > This group is chartered to work on the following types of 
> mechanisms 
> > to meet RFC 3748 and RFC 4017 requirements:
> >
> > - An update to RFC 2716 to bring EAP-TLS into standards 
> track, clarify 
> > specification, interoperability, and implementation issues gathered 
> > over the years, and update the document to meet the requirements of 
> > RFC 3748, RFC 4017, and EAP keying framework documents. Backwards 
> > compatibility with RFC 2716 is a requirement.
> >
> > - A mechanism based on strong shared secrets that meets RFC 
> 3748 and 
> > RFC
> > 4017 requirements. This mechanism should strive to be simple and 
> > compact for implementation in resource constrained environments.
> >
> > - A mechanism to support extensible communication within a TLS 
> > protected tunnel that meets RFC 3748 and RFC 4017 
> requirements. This 
> > mechanism must support channel bindings in order to meet RFC 4962 
> > requirements.
> > This mechanism will support meeting the requirements of an enhanced 
> > TLS mechanism, a password based authentication mechanism, and 
> > additional inner authentication mechanisms.
> >
> > - Enable a TLS-based EAP method to support channel 
> bindings. So as to 
> > enable RFC 2716bis to focus solely on clarifications to the 
> existing 
> > protocol, this effort will be handled in a separate document.  This 
> > item will not generate a new method, rather it will enhance 
> EAP-TLS or 
> > the TLS based tunnel method.
> >
> > - A mechanism meeting RFC 3748 and RFC 4017 requirements that makes 
> > use of existing password databases such as AAA databases.  
> This item 
> > will be based on the above tunnel method.
> 
> 
> 
> 
> _______________________________________________
> Emu mailing list
> Emu at ietf.org
> https://www1.ietf.org/mailman/listinfo/emu
> 


_______________________________________________
Emu mailing list
Emu at ietf.org
https://www1.ietf.org/mailman/listinfo/emu

Follow-Ups:
- RE: [Emu] EMU charter update,
  - From: Dan Harkins

References:
- RE: [Emu] EMU charter update,
  - From: Dan Harkins

Prev by Date: RE: [Emu] 2716bis13: Support of certificate_status extension
Next by Date: RE: [Emu] EMU charter update,
Previous by thread: RE: [Emu] EMU charter update,
Next by thread: RE: [Emu] EMU charter update,
Index(es):
- Date
- Thread

RE: [Emu] EMU charter update,

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.