>>>>> "Dan" == Dan Harkins <[email protected]> writes:
Dan> Hi Alan,
Dan> On Thu, June 24, 2010 5:20 am, Alan DeKok wrote:
>> Glen Zorn wrote:
>> Alan DeKok [mailto:[email protected]] writes:
>>>> The requirement to keep authentication credentials private,
>>>> which is one of the reasons for choosing a TLS-based method in
>>>> the first place.
>>>
>>> Are you confused? We're talking about being able to
>>> authenticate the visited network, not tunnel method
>>> requirements...
>>
>> Your proposal authenticates the visited network, at the cost of
>> exposing the users authentication credentials to the visited
>> network, and to everyone else in the proxy chain. This fails the
>> privacy requirements of any TLS-based EAP method, and has nothing
>> at all to do with the tunnel method requirements.
Dan> I may be missing something but the key shared by the client
Dan> and the NAS is going to be known by the proxies in that chain
Dan> so what sort of problem is being solved by applying these
Dan> privacy requirements to proxies?
The MSK is a relatively short-term key. The credentials that proxies
may be able to attack are long-term credentials.
So, I'm with Alan: the long-term credentials are more important than the
Dan> MSK.
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
