Re: [Emu] EAP and authorization

To: Alan DeKok <aland at deployingradius.com>
Subject: Re: [Emu] EAP and authorization
From: Stefan Winter <stefan.winter at restena.lu>
Date: Thu, 13 Aug 2009 08:27:50 +0200
Cc: emu at ietf.org
Delivered-to: emu at core3.amsl.com
In-reply-to: <4A82D4F4.6050903 at deployingradius.com>
List-archive: <http://www.ietf.org/mail-archive/web/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update $EMU$" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <012d01ca1763$496a12d0$dc3e3870$ at yegin@yegin.org> <4A819BD1.90802 at deployingradius.com> <008f01ca1aad$137353b0$3a59fb10$ at net><4A81BA2B.1090400 at deployingradius.com><AC6674AB7BC78549BB231821ABF7A9AE8E777157FB at EMBX01-WF.jnpr.net><00c301ca1ac3$8a0af800$9e20e800$ at net><4A81EBBB.7040507 at deployingradius.com><012a01ca1b05$53ffa610$fbfef230$ at net> <4A824F85.6080307 at deployingradius.com> <144465FACC914EA48639B7CACC77C68D at NEWTON603> <4A82C45A.2030605 at deployingradius.com> <111EFB0EC0224D21B64121456DAB1D4C at NEWTON603> <4A82D4F4.6050903 at deployingradius.com>
User-agent: Thunderbird 2.0.0.22 (X11/20090605)

Hello,

>> That's the straightforward approach.   It avoids the need to cling to
>> alternate definitions of well understood terms.  If you need to re-charter
>> to gain that authority, then so be it.  IMHO, this whole discussion looks
>> like an end-run around the "domain of applicability" restrictions for EAP.
>>     
>
>   I agree it does look that way.  I don't even think that's a wrong
> characterization of the issue.
>   

It also reminds me of the discussion in radext prior to the last
re-charter, when "No new security mechanisms will be defined for RADIUS"
but at the same time crypto-agility and keywrap lay on the table. There
were lengthy and at times seemingly far-fetched arguments on why this
would or would not be permitted by the charter. In the end, things were
clarified by issuing a new charter and everybody lived happily ever
after (well, sortof ...).

>> Shall we take the high road here?  At the very least, you could seek
>> clarification from the IESG as to whether they think that the current
>> "domain of applicability" for EAP embraces the "additional data" you want to
>> include.  After all, enforcement of "applicability statements" is a very hit
>> or miss thing in the IETF.  You may get lucky.  :-)
>>     
>
>   I would prefer to get WG consensus first.  If the WG believes it's a
> good idea, the re-chartering process becomes simpler.
>   

I think it's a good idea to acknowledge the reality that transport of
authorization data happens right now in EAP methods.
I also think it's a good idea to have both authentication and
authorization data in EAP.
If a re-charter were to acknowledge that EMU is also allowed to work on
authorization, I think we might end up with a way cleaner, proper
approach to handle authorization in EAP (which might end Dave's
perceived inappropriateness of it). Having an encrypted channel to
exchange authorization information post-authentication, even if the
authentication does not set up a tunnel for it comes to mind. That way,
the EAP conversation could for example always carry NEA information,
agnostic of the protocol used in the prior authentication phase.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

References:
- [Emu] EAP and authorization
  - From: Alper Yegin
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Stephen Hanna
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Dave Nelson
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Dave Nelson
- Re: [Emu] EAP and authorization
  - From: Alan DeKok

Prev by Date: Re: [Emu] EAP and authorization
Next by Date: Re: [Emu] EAP and authorization
Previous by thread: Re: [Emu] EAP and authorization
Next by thread: Re: [Emu] EAP and authorization
Index(es):
- Date
- Thread

Re: [Emu] EAP and authorization

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.