Hi Joe,
Yes, I am OK with the text.
Thanks,
Yaron
> -----Original Message-----
> From: Joseph Salowey (jsalowey) [mailto:[email protected]]
> Sent: Thursday, March 04, 2010 17:12
> To: Yaron Sheffer; Alan DeKok
> Cc: [email protected]
> Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04
>
> Hi Yaron,
>
> The existing text is just about restricting the mandatory to implement
> cipher suites. Are you OK with the text?
>
> Thanks,
>
> Joe
>
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]] On Behalf Of
> > Yaron Sheffer
> > Sent: Wednesday, March 03, 2010 11:05 PM
> > To: Alan DeKok
> > Cc: [email protected]
> > Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> >
> > Hi Alan,
> >
> > Initial provisioning by shipping the device with the trust anchor
> pre-
> > installed is fine, if you're Verizon. But in many cases you don't
> control
> > the device, and don't have a trusted path through which to transport
> the
> > CA cert (I am thinking enterprise CA here, not a public CA). The
> > combination of anonymous tunnel plus mutual auth with a one-time
> password
> > allows you to do that.
> >
> > But I'm OK with not making this option mandatory, since there are
> > important use cases that don't need it.
> >
> > Thanks,
> > Yaron
> >
> > > -----Original Message-----
> > > From: Alan DeKok [mailto:[email protected]]
> > > Sent: Thursday, March 04, 2010 8:47
> > > To: Yaron Sheffer
> > > Cc: [email protected]
> > > Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> > >
> > > Yaron Sheffer wrote:
> > > > Joe, what Dan is proposing is a reasonable way to use a one-time
> > > password for the initial provisioning of a trust anchor. Initial
> > > provisioning is important for many types of deployments. Does the
> > > document allow an alternative secure way to do that?
> > >
> > > TLS-based methods can leverage server certificates. This is
> already
> > > done in other areas (WiMAX, etc.)
> > >
> > > i.e. ship a device with a known CA, and on first provisioning,
> TLS
> > > checks the server certificate, and the user validates that the name
> of
> > > the server is what was expected.
> > >
> > > Since the document doesn't forbid anonymous methods, the only
> issue
> > > here is whether or not the document should make them mandatory to
> > > implement. I agree with Joe, in that they shouldn't be mandatory.
> > >
> > > Alan DeKok.
> > >
> > > Scanned by Check Point Total Security Gateway.
> > _______________________________________________
> > Emu mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/emu
>
> Scanned by Check Point Total Security Gateway.
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
