eap Mailing List: Re: Future of EAP-PSK

[Charles Clancy (clancy]

> So, it appears that EAP-PAX wants to place in the mid between EAP-FAST 
> (lot of features, most requiring asymmetric crypto) and EAP-PSK 
> (simplicity, only symmetric crypto). So, depending on the situation, a 
> fast and less secure authentication as well as a few efficient but more 
> secure authentication is possible.

Simplicity plus features was indeed the design goal behind EAP-PAX. 
However, I wouldn't call the "fast" version of PAX "less secure". 
Cryptographically, the PAX_STD is just as strong -- it just can't be used 
if you want identity protection or during an initial provisioning.

> To conclude, I hope the discussion about preshared key methods becomes 
> more active, that we get soon a mature, secure pre-shared key EAP 
> method, and - from the customer's point of view - becomes as soon as 
> possible available in implementations.

I think that in order for people to really get involved in any EAP method 
development at all, there needs to be a WG chartered with that 
responsibility.  I understand that SECMETH may eventually take on that 
task, but it will be quite some time before they'll be working on concrete 
protocols.

To echo an opinion Jari has expressed several times, I think the EAP WG 
should take on a couple of the simpler protocols whose authors have 
requested standards-track WG action.  This would serve to get some decent 
methods out there until SECMETH fully gears up.

[ t. charles clancy ]--[ tcc [at] umd.edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]-----[ university of maryland | college park ]