Re: [Emu] server unauthenticated provisioning mode

Wed, 24 Aug 2011 17:19:57 -0700 

>>>>> "Dan" == Dan Harkins <dhark...@lounge.org> writes:

    Dan>   In fact, if you have the ability to to provision 128-bit (or
    Dan> greater) blobs in disparate places then you have the ability to
    Dan> provision a certificate or something that makes EAP-GPSK
    Dan> pointless. If, on the other hand, you really really want to
    Dan> provision 128-bit blobs in lieu of certificates then you really
    Dan> have no need to do the tunneled method with an anonymous DH
    Dan> ciphersuite in phase 1. Just do EAP-GPSK and be done with it.

I can think of a lot of reasons I might want a tunnel with EAP-GPSK.
Examples including wanting channel bindings that don't fit in the 200
bytes or whatever GPSK gives me, wanting to do NEA, etc.

So, I think it is reasonable to configure a policy that uses EAP-GPSK
with an anonymous ciphersuite in exactly the  cases where GPSK is
appropriate to use at all.

If you'd like text suggestions I'd be happy to provide.

    >> I absolutely do not support EAP-PWD as a MTI for this document
    >> unless EAP-PWD is moved to the standards track.

    Dan>   So you're drawing a line in the sand over the capricious
    Dan> nature of a past IESG decision and not on security? Really? Why
    Dan> are you not running around insisting that RFC 2104 be moved to
    Dan> standards track?

I don't consider the decision capricious.
EAP-PWD has not met process hurtles that are important for IETF
standards. In particular there are a number of approaches for doing that
sort of password method; we haven't decided that's the one we want to
use.

If EAP-PWD had the sort of deployment MSCHAPv2 had, I'd support an RFC
3967 down-ref to it: the market has spoken and MSCHAPv2 has significant
deployment.  However, a normative down-ref to EAP-PWD would be an
end-run around the question of whether EAP-PWD is the method that does
approximately what it does that we want to recommend.  That decision
should be faced directly not as part of some other spec.

    Dan>   Dan.



_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Reply via email to