On Mon, 10 Dec 2018, Michael Richardson wrote:
Why do you think balanced PAKE is more appropriate for us than augmented?
Because I share Paul's view that the PSKs we care about are generally
identical in both directions
I agree here.
, and this use is primarily about site-to-site
inter-company VPNs. This is note for road-warrier accesss.
But not here. weak group PSK's for roadwarriors is a thing :(
I would prefer that the PAKE method was not wrapped in EAP.
Indeed. As I explained at the last IETF's presentation, it CANNOT use EAP
because then site-to-site admins cannot use it to connect two different
enterprises because none wants to reconfigure their equipment to trust
the other party's authentication infrastructure.
EAP is not suitable to interconnect different enterprises.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
