[TLS] Re: Fwd: I-D Action:draft-nir-tls-eap-02.txt

To: Yoav Nir <ynir at checkpoint.com>
Subject: [TLS] Re: Fwd: I-D Action:draft-nir-tls-eap-02.txt
From: Simon Josefsson <simon at josefsson.org>
Date: Sun, 14 Oct 2007 19:02:57 +0200
Cc: Hannes Tschofenig <Hannes.Tschofenig at gmx.net>, tls at ietf.org, Yaron Sheffer <yaronf at checkpoint.com>
In-reply-to: <A1B5CF41-EE3B-4956-AD5F-20B8F72FE96F@checkpoint.com> (Yoav Nir's message of "Sun, 14 Oct 2007 17:01:24 +0200")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <E1Ih40g-0004yh-07@stiedprstage1.ietf.org> <A1B5CF41-EE3B-4956-AD5F-20B8F72FE96F@checkpoint.com>
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Yoav Nir <ynir at checkpoint.com> writes:

> Hi all.
>
> We've published the -02 iteration of the TEE draft. The aim is to
> leverage EAP-using infrastructure such as RADIUS and DIAMETER servers
> for the authentication of TLS sessions.
>
> Following comments expressed about version -01, we've added some text
> that explains why the EAP exchange needs to be integrated into the
> TLS handshake rather than be part of the application.

How does your proposal compares with the proposal to support GSS-API in
the TLS handshake?

It would be an interoperability failure if both EAP-in-TLS and
GSSAPI-in-TLS were standardized and there aren't applicability
statements for application protocols like HTTP, IMAP, SMTP.

There may also be security failures, if an implementation would support
both EAP-in-TLS and GSSAPI-in-TLS.  This is because there doesn't seem
to be any way for applications to negotiate the globally most secure
mechanism.  Consider if the application supports Kerberos via
GSSAPI-in-TLS and a weak EAP mechanism via EAP-in-TLS.  There doesn't
seem to be any way for the application to detect this situation?  It may
end up negotiation the weak EAP mechanism even though Kerberos was
supported.

I think EAP may make slightly more sense than GSS-API because (with the
exception of Kerberos) there are few widely deployed GSS-API mechanisms.
In contrast there are many deployed EAP mechanisms.  Instead of
GSSAPI-in-TLS we could define a EAP-GSSAPI mechanism, and use it in
EAP-in-TLS.  It would be complex though.  Thoughts?

/Simon

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- [TLS] Re: I-D Action:draft-nir-tls-eap-02.txt
  - From: Yoav Nir

References:
- [TLS] Fwd: I-D Action:draft-nir-tls-eap-02.txt
  - From: Yoav Nir

Prev by Date: [TLS] Fwd: I-D Action:draft-nir-tls-eap-02.txt
Next by Date: [TLS] Re: I-D Action:draft-nir-tls-eap-02.txt
Previous by thread: [TLS] Fwd: I-D Action:draft-nir-tls-eap-02.txt
Next by thread: [TLS] Re: I-D Action:draft-nir-tls-eap-02.txt
Index(es):
- Date
- Thread

[TLS] Re: Fwd: I-D Action:draft-nir-tls-eap-02.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.