I guess you are talking about mutual authentication of the EAP peer and the EAP server.
See also text we put in http://tools.ietf.org/html/rfc5998 On Mar 31, 2011, at 1:52 PM, Sam Hartman wrote: > > Over lunch, we discovered why it is that you want to require mutual > authentication and channel binding all the time for gss-eap. > > The reason is that we're introducing a new application into the system. > Consider the following. > > 1) EAP is used for network access. Since that's the only application > and since mutual authentication is not important in a particular > deployment for that, EAP mechanisms that do not provide mutual > authentication are used. > > 2) A new application, such as e-mail with TLS authentication for e-mail > is deployed. > > 3) An attacker pretends to be an access point towards a client captures > authentication credentials and then uses them to access the user's mail. > > By increasing the number of possible services we've created a situation > where security has been decreased. > To avoid this, at most one service may permit authentication without > establishing which service is involved. > That service is already network access. > > For that reason, I think that draft-ietf-gss-eap should be revised to be > consistent with the applicability statement rather than revising the > applicability statement to be more permissive. > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
