Hi Sam, Using EAP one-way authentication with network access is neither the norm, nor allowed by any decent network architecture. Whatever network allows that already has its own security issues without compounding with any higher-layer threats.
I don't know if and how it impacts the Abfab discussion, I'm just commenting on the network access part. Alper > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Sam Hartman > Sent: Thursday, March 31, 2011 2:53 PM > To: [email protected] > Subject: [abfab] Mutual authentication and channel binding should be > required > > > Over lunch, we discovered why it is that you want to require mutual > authentication and channel binding all the time for gss-eap. > > The reason is that we're introducing a new application into the system. > Consider the following. > > 1) EAP is used for network access. Since that's the only application > and since mutual authentication is not important in a particular > deployment for that, EAP mechanisms that do not provide mutual > authentication are used. > > 2) A new application, such as e-mail with TLS authentication for e-mail > is deployed. > > 3) An attacker pretends to be an access point towards a client captures > authentication credentials and then uses them to access the user's > mail. > > By increasing the number of possible services we've created a situation > where security has been decreased. > To avoid this, at most one service may permit authentication without > establishing which service is involved. > That service is already network access. > > For that reason, I think that draft-ietf-gss-eap should be revised to > be > consistent with the applicability statement rather than revising the > applicability statement to be more permissive. > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
