Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

[Leif Johansson <leifj at it.su.se>]

Kemp, David P. wrote:
> Umm, is that a trick question?
>   
Yes.
> Symmetric mechanisms (static passwords, OTP, Kerberos, etc) all have
> the property of requiring communication with an identity provider
> in real-time to authenticate a user (except for pre-placed keys, a
> non-scalable technique that is not under consideration for TLS even
> though it is supported in IPSec).
>
> Asymmetric (certificate-based) mechanisms can authenticate a user
> without communicating with an identity provider and without giving
> one party the ability to masquerade as the other.
>
> One certainly would not want to remove asymmetric authentication
> from TLS (i.e., it should remain mandatory to implement).  The
> discussion concerns whether to add symmetric authentication inside
> TLS and if not, how to bind TLS sessions to symmetric authentication
> at a layer above TLS.

For the sake clarifying this discussion I'm not sure I understand
what you mean by an symmetric form of authentication. Afaik
there is authentication and other authentication. Both you and
Chris have a point in that there is a difference between X.509
based authentication for TLS and many other mechanism but
so what?

Chris makes the case that errors from (say) network-related
problems which occured out-of-band (wrt TLS) must be
communicated through TLS but so must problems related
to path construction and path validation in the X.509 case,
right?

Having said that I agree fully that a clean stack is a good stack
and I look forward to reading Martins proposal.

    Cheers Leif

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls