Hello, I have a comment about use of EAP in this context.
Folks might remember the ICOS BoF held during IETF 62. Discussions at that meeting, around that era, and since then have been always pointing to the applicability statement of EAP and more-or-less blocking the use of EAP for anything other than network access. EAP RFC 3748: EAP was designed for use in network access authentication, where IP layer connectivity may not be available. Use of EAP for other purposes, such as bulk data transport, is NOT RECOMMENDED. See the meeting notes at http://www.ietf.org/proceedings/62/icos.html, especially Sam's (SEC AD at that time): Sam: Although having a lot of EAP methods is complicated, deploying new credentials is also hard. I think the uses of EAP that were discussed here are close enough to network access that I could see the connection. But when EAP was expaned from PPP to other uses, a lot of new work was required; if we expand EAP to services in general, we need at least the same amount of work. We might want to check that there are no better solutions. So if you're using EAP for something totally else than network access authentication, please talk to me earlier rather than later. I'm not against using EAP for arbitrary applications. If this is where we are getting at in IETF, I'm hoping this gets proper consideration bridging where we were 5 years ago and today. Was this discussed? Is there a proposal to expand the applicability statement of EAP now? Where do we draw the new line now? Thanks in advance. Alper > -----Original Message----- > From: emu-boun...@ietf.org [mailto:emu-boun...@ietf.org] On Behalf Of > Sam Hartman > Sent: Friday, May 14, 2010 10:20 PM > To: s...@mit.edu > Cc: kit...@ietf.org; moonshot-commun...@jiscmail.ac.uk; emu@ietf.org > Subject: [Emu] Summary of Federated Authentication BOF at IETF 77 > > > > I'm told there were around 30 people in the room. That seemed like a > good turn out for Thursday at 9 PM. > > Many of the participants had already read some or all of the proposed > documents. > I presented a problem statement based on providing federated > authentication for non-web applications. > Two solutions were presented. I presented work on Moonshot, a > technology that combines EAP, GSS-API, RADIUS and SAML to solve the > problem. Eliot Lear and Klaas Wierenga presented a simpler solution > that uses browser-based SAML and Open ID. > > The sense of the room was that these solutions compliment each other. > Moonshot requires more infrastructure and client configuration but > provides several advantages. The browser-based solutions are something > that requires fewer client changes. > > Volunteers were collected from the EAP, GSS and RADIUS communities who > would be interested in working on these problems. Some of the work > discussed, possibly especially including the Open ID and SAML > browser-based solutions may be able to progress in kitten. I and I > believe several of the other Moonshot proponents would prefer to focus > the Moonshot work in one working group. Other solutions could also be > progressed in that group, although we should be careful not to slow > down > work that could progress quickly in kitten by moving it into an > as-yet-unchartered group. > > There seemed to be strong support for going forward. However, several > things to address in a BOF were raised with regard to the Moonshot > work. > > * Steve Bellovin pointed out that we need to be very aware of the > operational impact and how this fits with the operational model of > the > technologies that are used/extended. > > * Klaas pointed out that Moonshot involves changes to a lot of > different > components. We need to make sure that there are incremental > advantages to each of these changes so they will be deployed: a > system > where there is no benefit until the end when all the peaces fall > together is much harder to deploy. > > * Klaas pointed out that we need to consider the operational security > around how RADIUS federations are deployed. If network access is not > considered sensitive today, people may be more lax in the security > surrounding their RADIUS infrastructure. If we use that > infrastructure to secure more sensitive resources we need to have > practices that tighten up the security of the infrastructure > sufficiently. > > * Someone brought up that this is another one of those authentication > proposals where user-interface is critical. While we should not lay > out dialogues in the IETF, we're going to need to describe the > usability aspects of this enough to increase the probability of a > good > security solution. > > People specifically asked to look at the following: > * Complexity > * What can't be handled with simpler solutions > * Is Moonshot broad enough in scope? > * The UI questions > > Since the bar BOF, there has been a lot of traffic on the list and work > continues. > We're definitely going to put together a BOF request for IETF 78. > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
