Re: [Emu] Issue #14 Emergency auth

To: "Yaron Sheffer" <yaronf at checkpoint.com>, <emu at ietf.org>
Subject: Re: [Emu] Issue #14 Emergency auth
From: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Date: Thu, 6 Aug 2009 16:36:14 -0700
Authentication-results: sj-dkim-1; header.From=jsalowey at cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Delivered-to: emu at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2554; t=1249601776; x=1250465776; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey at cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey at ci sco.com> |Subject:=20RE=3A=20Issue=20#14=20Emergency=20auth |Sender:=20; bh=XpWfmcwrBzHwudWwncHFuvcn2MAT6HCaK4bOfJNJ2sw=; b=oQ3SB6YGObytUdbNa5bcvVRu3hEseXduuZoulGNqgHRetw/qCytV69gt/+ 9XLfo3btVECE/SDwxli4Yg/pOQ1gBewMaNpyBei3NqokmGCPQVkkYM0ff2Oa DUFAKJYiXB706sw+zwtk9k/eAjNdz4aztYhO/piz6CHvSkkG/XS3g=;
In-reply-to: <7F9A6D26EB51614FBF9F81C0DA4CFEC80133E56C7788 at il-ex01.ad.checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <AC1CFD94F59A264488DC2BEC3E890DE50883CECF at xmb-sjc-225.amer.cisco.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80133E56C7788 at il-ex01.ad.checkpoint.com>
Thread-index: AcoWygz7SUqy1ZFxRmuwSIaYjBW3YQAFrKsAAAM+WNA=
Thread-topic: Issue #14 Emergency auth

Often, there is a richer interface between EAP and the authenticator.
For example in an Access-Accept message from RADIUS a number of things
can be communicated about the authentication including the identity of
the authenticated peer.  I also don't think that EAP-Success necessarily
implies mutual authentication, it just says that the EAP server is
satisfied with the result of the process. 

Joe

> -----Original Message-----
> From: Yaron Sheffer [mailto:yaronf at checkpoint.com] 
> Sent: Thursday, August 06, 2009 3:05 PM
> To: Joseph Salowey (jsalowey); emu at ietf.org
> Subject: RE: Issue #14 Emergency auth
> 
> The contract between the authenticator and the EAP layer is, 
> when I see an EAP Success message, it means that both sides 
> are authenticated. We are now breaking this contract, so it 
> makes sense to have EAP inform the upper layer of this fact.
> 
> But I suppose EAP is not extensible enough to add such 
> semantics. Sigh.
> 
> Thanks,
> 	Yaron
> 
> > -----Original Message-----
> > From: emu-bounces at ietf.org [mailto:emu-bounces at ietf.org] On 
> Behalf Of 
> > Joseph Salowey (jsalowey)
> > Sent: Thursday, August 06, 2009 22:14
> > To: emu at ietf.org
> > Subject: [Emu] Issue #14 Emergency auth
> > 
> > 
> > > Referring to Sec. 3.5 of
> > http://tools.ietf.org/html/draft-ietf-emu-eaptunnel-req-03, there 
> > should be an indication to the application that is using EAP > that 
> > such "strange" authentication took place. For example, the 
> VoIP server 
> > may than make sure that only calls to 911 or 112 are allowed. 
> > Otherwise
> > > there is no way to authorize the user without some 
> backchannel into
> > the AAA.
> > >
> > > So I propose to add:
> > 
> > > "The tunnel method, if it supports emergency services, 
> MUST provide 
> > > an
> > indication at the EAP or EAP-method level that such authentication 
> > took place; >
> > >  the indication MUST be unencrypted but integrity protected".
> > 
> > I don't understand what this text is for? Who is this 
> indication for?
> > An application should not be sniffing EAP packets to see 
> what happens.
> > It seems that this is the responsibility of a local API between the 
> > EAP server and the application.
> > 
> > 
> > Joe
> > _______________________________________________
> > Emu mailing list
> > Emu at ietf.org
> > https://www.ietf.org/mailman/listinfo/emu
> > 
> > Scanned by Check Point Total Security Gateway.
>

Follow-Ups:
- Re: [Emu] Issue #14 Emergency auth
  - From: Joseph Salowey (jsalowey)

References:
- [Emu] Issue #14 Emergency auth
  - From: Joseph Salowey (jsalowey)
- Re: [Emu] Issue #14 Emergency auth
  - From: Yaron Sheffer

Prev by Date: Re: [Emu] Issue #14 Emergency auth
Next by Date: [Emu] EAP and authorization
Previous by thread: Re: [Emu] Issue #14 Emergency auth
Next by thread: Re: [Emu] Issue #14 Emergency auth
Index(es):
- Date
- Thread

Re: [Emu] Issue #14 Emergency auth

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.