| RE: Proposed Resolution to Issue 209: Applicability statement | <– Date –> <– Thread –> |
From: Bernard Aboba (aboba internaut.com)
|
|
| Date: Wed, 7 Jan 2004 10:35:03 -0500 (EST) | |
> > EAP was designed for use in network access authentication, > > where IP layer connectivity may not be available. Use of EAP > > for other purposes, such as application layer authentication, > > or bulk data transport, is NOT RECOMMENDED. > > > [Joe] So why is EAP not recommended for application layer > authentication? I think it would be useful to state more clearly why > since many of the requirements for authentication would be the same. > The main difference between EAP and something like SASL, GSSAPI and TLS > is that EAP does not provide security services or a security layer, it > just provides a key material for an existing security layer. A major difference between GSS-API and EAP is that GSS-API (with the exception of IAKERB) assumes that an initial authentication has already occurred. GSS-API also provides a complete suite of security services, as you say. SASL does not provide such a complete suite, and does not assume initial authentication, so it is more analagous to EAP. However, it runs over reliable transport so it is more efficient than EAP. It also typically assumes that it is running over a lower security layer (e.g. TLS) but does not provide keys for that layer or even supporting crypto-binding to it (enabling man-in-the-middle attacks). > I suggest change the above to something like: > > "EAP was designed for the use in network access authentication, where IP > layer connectivity may not be available. EAP also assumes the existence > of a security layer to provide on going data protection such as layer 2 > encryption. Hmm. Section 3.1 states that EAP does *not* assume existence of lower layer security services. > EAP may provide keying material for this external security > layer. It is NOT RECOMMENDED that EAP be used in scenarios where an > external security layer is not provided such as most application layer > protocols. I don't think we want to probibit use of EAP in wired networks, do we?
-
Proposed Resolution to Issue 209: Applicability statement Bernard Aboba, December 23 2003
-
RE: Proposed Resolution to Issue 209: Applicability statement Joseph Salowey, January 7 2004
- RE: Proposed Resolution to Issue 209: Applicability statement Bernard Aboba, January 7 2004
- RE: Proposed Resolution to Issue 209: Applicability statement Joseph Salowey, January 7 2004
- RE: Proposed Resolution to Issue 209: Applicability statement Joseph Salowey, January 8 2004
-
RE: Proposed Resolution to Issue 209: Applicability statement Joseph Salowey, January 7 2004
Results generated by Tiger Technologies using MHonArc.