I agree. That's why I was thinking that adding a reference that makes implementers aware of this problem would be a good idea. Then they can make an educated decision about whether they want to implement additional mitigation techniques (i.e. enforce policies) or to not use password-based inner methods.
> -----Original Message----- > From: Alan DeKok [mailto:al...@deployingradius.com] > Sent: Wednesday, September 01, 2010 9:34 AM > To: Hoeper Katrin-QWKN37 > Cc: Glen Zorn; Bernard Aboba; emu@ietf.org > Subject: Re: [Emu] security paper on tunneled authentication > > Hoeper Katrin-QWKN37 wrote: > > I will check the current draft for conflicts and, if necessary, propose > > changes. > > I think that the main issue with the draft is that it requires > tunneled methods to allow for password authentication. Your analysis > paper says that password methods cannot be made resistant to these attacks. > > If that is right, then I don't think there is anything to do in the > draft. > > Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu