Re: [abfab] draft-wei-abfab-fcla-02 is posted (fast re-auth)

Wed, 21 Mar 2012 20:42:22 -0700 

     Hi, Sam:

     Comments for clarification.

     In RFC2743(GSS-API), there are some secentences:
       P4 "The security services available through GSS-API are 
implementable over a 
       range of underlying mechanisms based on secret-key and public-key 
cryptographic technoliges".

       P88 "Clause 5, Mechanism-specific example scenarios
       5.1 Kerberos V5 
       5.3 X.509 Authentication Framework"
 
     According to the text above, my understanding is that GSS-API can 
support
     a set of security mechanisms, it is NOT limited into the single 
Kerberos
     mechanisms. 

     In RFC5296(ERP), it says "3. ERP Description 
     ... ERP is a single round-trip exchange between the peer and the 
server; 
     it is independent of the lower layer and the EAP method used during 
     the full EAP exchange." 
     You wrote "ERP--it's just another EAP method after all". 

     I am not sure whether they are consistent. 

------------
Yinxing Wei




Sam Hartman <[email protected]> 
发件人:  [email protected]
2012/03/12 21:40

收件人
Rafa Marin Lopez <[email protected]>
抄送
"[email protected]" <[email protected]>
主题
Re: [abfab] draft-wei-abfab-fcla-02 is posted (fast re-auth)






>>>>> "Rafa" == Rafa Marin Lopez <[email protected]> writes:

    Rafa> Hi Luke: That kind of fast re-auth based on Kerberos is also
    Rafa> intrinsic to draft-perez-abfab-eap-gss-preauth-01

    Rafa> Best regards.

    Rafa> El 12/03/2012, a las 13:18, Luke Howard escribi :

Right.  I'd prefer to focus on the Kerberos-based approaches because we
have a lot of experience with them (the Moonshot implementation and your
implementation) and because they seem to be rather simple.  I think for
the sorts of services that use ABFAB, ERP would require more
infrastructure and might be more complex.  Nothing precludes using
ERP--it's just another EAP method after all.  However for application
bridging it seems like there are environments where the two directions
we're already working on (gss-preauth and the reauth within Moonshot)
are far more attractive.

--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab




_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab

Reply via email to