Hi Joe, With all due respect to your chairmanship of the group let me make the following comments.
On Wed, January 23, 2008 1:32 pm, Joseph Salowey (jsalowey) wrote: > Hi Dan, > > Comments inline below: > >> -----Original Message----- >> From: Dan Harkins [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, January 23, 2008 11:34 AM >> To: Joseph Salowey (jsalowey) >> Cc: Dan Harkins; [email protected] >> Subject: RE: [Emu] EMU charter update, >> >> >> Hi Joe, >> >> I went back and looked at the mailing list archives and the >> thing is I can't really see where the group decided NOT to >> pursue an EAP method that is resistant to dictionary attack >> and is also not based on a tunnel method. >> > [Joe] The group has decided to work on the set of EAP methods in the > charter. For the password based method the group has decided to work on > a tunnel method (see list archives October 2007). While this does not > explicitly exclude another password based method, another password based > method is not within the scope of the charter. We are updating the charter. We have consensus to update add something to it. I do not see how that equates to consensus to not add something else. Strictly speaking a tunnel-based EAP method that supports passwords is not within the scope of the current charter, right? Which is why the title of this thread is "EMU charter update". We're updating our charter to put such a method in our scope. This seems like an opportune time to put another method in our scope. >> The group wants to add a tunnel method and that method >> should support passwords as well as other authentication >> mechanisms. And I'm all on board for that! But that doesn't >> mean that password authentication without a tunnel method is >> something we should not work on. >> > [Joe] We need to make more progress on the current work items before we > consider taking on new work. From the looks of our last meeting we have considerable progress on that front. In fact, we have 2 competing EAP methods that already satisfy the requirements! The technical work necessary once we choose the protocol to advance should be minimal. In fact, due to the claims of a large deployed base for both protocols I would be inclined to believe that substantive changes to the selected protocol will be strongly resisted. >> The working group had consensus for EAP-GPSK over EAP-TLS >> with TLS-PSK and for those very same reasons I think an >> EAP-password method that is resistant to dictionary attack >> would be good. Is there some reason why it wouldn't be good? >> Is there something I'm missing? >> > [Joe] I think there are differing opinions within the group. There is a > strong sentiment that fewer EAP methods is better than more. Others may > be more liberal with respect to new methods. Right now it is important > that we make progress on the items that we have consensus on before we > attempt to open up new ones. I understand that is important but, again respectfully, I do not believe your desire to speed things up necessarily translates into consensus in the group. We certainly do not suffer from a lack of EAP methods but that is largely due to different flavors of exactly the same thing-- PEAPv0, PEAPv1, FAST, TTLS all provide server-side authentication with something that looks awefully like EAP-TLS followed by a generic second phase which does client-side authentication with a suite of options. What we do suffer from is some EAP methods providing certain useful functionality. EAP-GPSK filled one gap (PSK-based authentication that is compact, lightweight, and does not require certificates) but it cannot fill another (robustness and resistance to dictionary attack). I respectfully ask you to make a call for consensus on the topic of adding a password-based authentication method that is resistant to dictionary attack to our charter. regards, Dan. _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
