Glen Zorn wrote: > Alan DeKok [mailto:al...@deployingradius.com] writes: >> The requirement to keep authentication credentials private, which is >> one of the reasons for choosing a TLS-based method in the first place. > > Are you confused? We're talking about being able to authenticate the > visited network, not tunnel method requirements...
Your proposal authenticates the visited network, at the cost of exposing the users authentication credentials to the visited network, and to everyone else in the proxy chain. This fails the privacy requirements of any TLS-based EAP method, and has nothing at all to do with the tunnel method requirements. >> Is there a document describing that? Will implementations be >> interoperable without a document? What security and privacy issues are >> there with doing that? > > RFC 5281. i.e. EAP-TTLS, which is informational, not standards track. And it has little or no discussion on the dual authentication which would be necessary for your proposal to work. >> Roaming was just one example. Even with roaming, there are multiple >> roaming consortia, for multiple purposes. Standardizing a >> cross-consortia method for channel bindings would appear to be useful to >> the wider Internet Community, and well within the scope of the IETF. > > How does this affect the fact that the stated goal of making sure that the > network to which the client is attached is the one that was advertised? Channel bindings are proposed to solve that, and other issues. The proposal is to do this without exposing authentication credentials to everyone. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
