I agree that if there is not a standards based approach to choose proprietary solutions will be implemented, I also agree that addressing the password based authentication is not the only problem here.
I also think there is need for a standards based tunneled EAP method also. I for one support the standardization of a TTLS that addresses channel binding, crypto binding, etc. Ryan -----Original Message----- From: Hao Zhou (hzhou) [mailto:[EMAIL PROTECTED] Sent: Friday, April 13, 2007 2:13 PM To: Pascal Urien; [EMAIL PROTECTED] Subject: RE: [Emu] Re: Thoughts on Password-based EAP Methods While I agree that we probably don't need another password based method, I firmly believe that we need a standard base method provides more extensibility beyond password based authentication, for instance, channel binding, exchange protected data, crypto-agility, etc. Past experience tells me that if we don't define a standard one to address this, someone will come up with proprietary solution and we will end up with multiple methods again. TTLS, PEAP, EAP-FAST are early attempts. We will keep making the same mistakes. That's why I think addressing password authentication should not be the only goal, but addressing the standard extension points might be the more important goal here. Addressing password authentication should be trivial, as we already have working protocol. Just like TLS is being used as a framework, I like to have a standard EAP tunnel method that is extensible, extensible on the tunnel establishment as well as inside the tunnel. Since the extension points are standardized and extensions need to go thru IETF process and publishing, this will ensure better interoperability. That's why I think we need to take a look at both the password based method and enhanced TLS based method requirements together, and maybe with some requirements outside the current WG charter, and come up with a standard tunneling method that's extensible. As far as the basis for such method, I don't think we have consensus towards TTLS. We need to judge them base on the requirements and each candidate's merits. > -----Original Message----- > From: Pascal Urien [mailto:[EMAIL PROTECTED] > Sent: Friday, April 13, 2007 4:46 PM > To: [EMAIL PROTECTED] > Subject: [Emu] Re: Thoughts on Password-based EAP Methods > > Hi Everybody, > > The emu working agreed on the fact that a secure channel is needed > > Item1. > > - a) Is there a consensus for TTLS (what version ?) > - b) Is this possible to push TTLS as an RFC (from an > IT point of view) > > Item2 > -c) Do we need a new password based method ? > I agree with Bernard point of view. Many methods already exist. > > My personal feeling is > a=yes, b=yes, c=no > > I am ready to organize a meeting in Paris in June, if the > working group intends to debate about these points > > Best Regards > > Pascal > > > > > > > > > > > _______________________________________________ > Emu mailing list > [EMAIL PROTECTED] > https://www1.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/emu
