| RE: What about PSK with TLS and IKEv2? | <– Date –> <– Thread –> |
From: Joseph Salowey (jsalowey cisco.com)
|
|
| Date: Mon, 16 Aug 2004 13:11:18 -0400 (EDT) | |
I'm not opposed to other methods, but I think methods based on existing key exchange frameworks such as TLS and IKEv2 are valuable because they build on widely implemented (at least in the case of TLS) and reviewed standards. TLS is probably the most widely deployed one and it has been extended to support multiple mechanisms including certificates, kerberos and pre-shared key. I would prefer to focus on the standard frameworks first. Joe eap-admin [at] frascone.com wrote: > T. Charles Clancy wrote: >> True, but the TLS resume still requires 2 round trips, > > 1.5 RT :) > >> and as much computation as a full reauthentication. > > Correct me if I'm wrong, in the full reauthentication, we authenticate > using certificates which is not the case of TLS-PSK. > >> Just because other methods use it doesn't mean it's the right thing >> to do in the PSK case. > > I meant that the TLS-PSK allows us to call back a full TLS sessions... > Further, almost all methods use TLS to establish the channel. Where > the TLS-PSK will be used instead of full TLS, these methods will be > improved a lot (processing time, message flow, MitM attack, etc) and > this without decrease the security level. So I think that it is the > right think in our case when the majority of EAP methods use TLS. > >> TLS was designed for public-key environments, and I >> agree it's probably the right thing to use for public-key >> authentication. > > That is true. But in TLS, the abbreviated handshake is already > specified and no text (in TLS1.0) prohibits us from using it for long > duration. Again, this may not decrease the security level. Anyway, the > TLS-PSK will soon move forward to proposed through the TLS WG. > >> We obviously have a difference of opinion, and aren't going to change >> each others' mind. The pros and cons can be argued from both >> directions. > > Maybe it is the holiday time, but would like to hear comments from > people on the mailing list. > > -- > > Mohamad Badra > ENST-Paris > Dept. Computer Sciences and Networks > > > > _______________________________________________ > eap mailing list > eap [at] frascone.com http://mail.frascone.com/mailman/listinfo/eap
- Re: What about PSK with TLS and IKEv2?, (continued)
-
Re: What about PSK with TLS and IKEv2? Mohamad Badra, August 10 2004
- Re: What about PSK with TLS and IKEv2? T. Charles Clancy, August 12 2004
- Re: What about PSK with TLS and IKEv2? Mohamad Badra, August 13 2004
- Re: What about PSK with TLS and IKEv2? T. Charles Clancy, August 15 2004
- RE: What about PSK with TLS and IKEv2? Joseph Salowey, August 16 2004
-
Re: What about PSK with TLS and IKEv2? Mohamad Badra, August 10 2004
- Re: Proposed resolution of issue 251 Jim Burns, August 10 2004
- Re: Proposed resolution of issue 251 John Vollbrecht, August 10 2004
Results generated by Tiger Technologies using MHonArc.