[12:47:14] --- Yoshifumi Atarashi has become available
[12:47:21] --- Yoshifumi Atarashi has left
[12:50:57] --- hartmans has become available
[12:52:40] --- mike has become available
[12:54:09] --- Yoshifumi Atarashi has become available
[12:54:28] --- Yoshifumi Atarashi has left
[13:00:16] --- pigdog has become available
[13:03:07] --- mjo has become available
[13:05:03] <hartmans> I'm in the room
[13:06:13] --- pigdog has left
[13:06:23] --- Will Ivancic has become available
[13:07:42] <Will Ivancic> I am in room also.
[13:08:03] <Will Ivancic> R others recieving audio steam?
[13:08:47] --- warlord has become available
[13:11:32] --- hartmans has left
[13:12:19] --- Will Ivancic has left
[13:12:36] --- hartmans has become available
[13:13:15] --- sureshk has become available
[13:13:22] --- nicow3k has become available
[13:14:09] --- pigdog has become available
[13:17:51] --- raj has become available
[13:21:31] <nicow3k> no scribing?
[13:21:59] <hartmans> There is currently none.
[13:24:29] <hartmans> I can run BSD on my SCSI host adapter but I can't bother to have certificate handling in my boot rom?
[13:24:40] <nicow3k> heh
[13:24:42] <pigdog> in your bootprom?
[13:25:05] <warlord> why would i want to boot off iScsi?
[13:25:30] <nicow3k> so you don't have local disks
[13:25:52] <warlord> disks are cheap.. and small.
[13:25:56] <pigdog> but here's my real question: why not demand some form of authentication service of L2? we are NOT in the '70s
[13:25:56] <warlord> c.f. ipod
[13:25:57] <hartmans> All new diskless workstation
[13:26:44] <nicow3k> right
[13:29:18] <hartmans> the terminology reuse between GSSAPI and 3748 of channel bindings is most unfortunate
[13:29:56] <nicow3k> yes
[13:30:09] <nicow3k> remind us what EAP means by channel bindings
[13:30:33] <hartmans> authentication of attributes of the channel, like which NAS I'm talking to.
[13:30:42] <nicow3k> right
[13:30:45] <hartmans> As a security person it is part of what I wou/ld think of as mutual authentication.
[13:31:51] --- aibo7 has become available
[13:32:48] --- narten has become available
[13:33:41] <nicow3k> actually, the wording in 3748 is, on the surface, somewhat like what you and I mean by channel bindings
[13:33:57] <hartmans> Compare their definition of cryptographic binding
[13:33:58] <nicow3k> a protected exchange of channel endpoint IDs
[13:34:30] --- raj has left: Logged out
[13:34:59] <nicow3k> yeah
[13:38:28] --- pigdog has left
[13:41:15] --- suz has become available
[13:44:30] --- ogud has become available
[13:48:23] --- nm has become available
[13:52:47] --- nicow3k has left
[13:54:14] --- Melinda has become available
[13:54:53] <hartmans> Since IKe supports EAP why do they need a PSK
[13:55:05] --- pigdog has become available
[13:56:09] --- pigdog has left
[13:56:52] --- pigdog has become available
[13:58:11] --- raeburn has become available
[14:02:44] --- pigdog has left: Replaced by new connection
[14:02:44] --- pigdog has become available
[14:05:17] <hartmans> Bleh. What a mess.
[14:07:04] <warlord> Yep
[14:07:35] --- dumdidum has become available
[14:07:50] --- dumdidum has left
[14:09:52] --- nicow3k has become available
[14:10:09] <nicow3k> different creds
[14:10:42] <nicow3k> you can use an OTP token for the first EAP, get PSK for IKE and not have to use a token again when the IPsec part of this comes up
[14:10:47] --- dumdidum has become available
[14:10:52] <nicow3k> so, I don't think it's a mess
[14:12:04] <pigdog> this all just smells like cutting the layers wrong
[14:12:05] <hartmans> But that's out of scope for EAP as is the address authentication
[14:12:30] <nicow3k> and they're essentially asking that EAP's scope be broadened
[14:13:53] --- raeburn has left: Replaced by new connection
[14:13:53] --- raeburn has become available
[14:14:26] --- nm has left: Replaced by new connection
[14:14:26] --- nm has become available
[14:14:26] --- nm has left
[14:14:37] --- nm has become available
[14:16:17] <hartmans> Yes.
[14:16:38] <hartmans> But why do you have any reason to believe the foreign network and home network are related etc.
[14:16:46] <pigdog> sorry- one of these things is NOT like the other. RSVP runs on a device that is already up and running
[14:17:04] <pigdog> this is a generic configuration problem, now
[14:17:21] <pigdog> and for what? any network service?
[14:20:04] --- nicow3k has left: Replaced by new connection
[14:20:13] --- nicow3k has become available
[14:20:27] <nicow3k> my network died
[14:20:52] <nicow3k> imagine extensions to the GSS-API that allow for distribution of config info and cross-mechanism credential delegation
[14:21:10] <nicow3k> then point out that the GSS-API too is layer/transport independent :)
[14:21:28] <nicow3k> (but there's no standard for using it straight on layer 2)
[14:21:34] <nicow3k> anyways, there you go
[14:26:59] --- pigdog has left: Replaced by new connection
[14:26:59] --- pigdog has become available
[14:27:04] <nicow3k> I don't find that objectionable
[14:27:09] <nicow3k> well, not entirely
[14:27:36] <nicow3k> I'd rather DHCP didn't have message size / fragmentation / round-trip limits though
[14:28:33] --- mike has left: Disconnected
[14:28:36] <nicow3k> to what degree does this pain derive from DHCP's limits?
[14:29:05] <nicow3k> as for the applicability of EAP...
[14:30:26] <nicow3k> if I think of it as just a sort of a transport for security mechanisms I don't find the proposed, er, extensions, objectionable
[14:30:53] <hartmans> Yeah, but if you read the spec, you realize it's not just that.
[14:30:59] <hartmans> The spec is fairly specific to network access
[14:31:15] <nicow3k> oh, it's not just that
[14:31:36] <nicow3k> here we go
[14:32:26] --- ogud has left
[14:32:58] <pigdog> do i hear a draft volunteer?
[14:35:02] --- wej has become available
[14:37:20] --- Melinda has left: Disconnected
[14:37:23] --- geg has become available
[14:37:34] --- kanda has become available
[14:37:39] --- raeburn has left
[14:38:27] --- geg has left: Replaced by new connection
[14:38:59] <hartmans> Yeah. I figured it would come close
[14:40:28] --- dumdidum has left: Replaced by new connection
[14:40:33] --- dumdidum has become available
[14:41:05] <nicow3k> if it's abotu round-trips then EAP can't be the answer! ;)
[14:42:17] <pigdog> ralph provided some engineering constraints based on experience. and this BoF is not properly named.
[14:42:20] <pigdog> it should be SEAP
[14:42:23] <pigdog> Scope of EAP
[14:42:54] <nicow3k> heh
[14:46:58] --- suz has left
[14:46:58] --- suz has become available
[14:47:08] --- suz has left
[14:49:15] --- aibo7 has left: Disconnected
[14:52:22] --- nm has left
[14:53:06] <hartmans> ++Thomas
[14:53:56] <warlord> Well, it's 3pm. time for cookies.
[14:55:29] --- pigdog has left
[14:56:29] --- sureshk has left: Disconnected
[14:56:45] --- mjo has left
[14:57:28] --- dumdidum has left
[14:57:55] --- hartmans has left
[14:59:43] --- kanda has left
[14:59:45] --- nicow3k has left
[15:02:03] --- narten has left
[15:06:00] --- wej has left
[15:23:54] --- warlord has left