Joseph Salowey (jsalowey) wrote: > This section is about transporting clear text usernames and passwords > within the tunnel, so password transport requirement needs to stay. I'm > fine with more accurate text for describing the attacks. I propose the > following text: > > "The tunnel method MUST support transporting clear text username and > password to the authentication server. It MUST NOT reveal information > about the username and password to parties in the communication path > between the peer and the EAP Server. The advantage any attacker gains > against the tunneled method when employing a username and password for > authentication MUST be through interaction and not computation. "
The first sentence refers to "authentication server", while the second uses "EAP server". I suggest using "EAP server" for both, as it is used elsewhere in the document, too. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu