At 12:00 AM 10/17/2006, Khosravi, Hormuzd M wrote:
Sam,
I believe if we move 'quickly' in this WG we will be able to meet
interoperability goals to certain extent atleast. The bottom-line is
this technology is already being deployed by different vendors in
academia and enterprises. The question is should IETF get involved in
standardizing this or leave it to the individual vendors. I believe the
IETF should and that standardization will certainly help the community,
if we can move fast enough.
Whereas interoperability is a noble goal, the IETF also has the good
habit of clearly specifying what our protocols do and don't do. Our
bar is thankfully higher than marketing literature for example.
The recent email by Jari Arkko to standardize some of the EAP methods
which are being used and deployed today but no RFCs exist for them, is
certainly a step in the right direction.
Good example actually: 3748 contains brutal truths about some of the
legacy EAP methods, for instance on MD5-Challenge -- which no one
should really be using for access control -- it says:
Auth. mechanism: Password or pre-shared key.
Ciphersuite negotiation: No
Mutual authentication: No
Integrity protection: No
Replay protection: No
Confidentiality: No
Key derivation: No
Key strength: N/A
Dictionary attack prot.: No
Fast reconnect: No
Crypt. binding: N/A
Session independence: N/A
Fragmentation: No
Channel binding: No
In other words, someone who uses that protocol gets zilch! Now of
course, in the "real" world, a variant of this protocol was used and
soon after publicly demonstrated to be useless.
best regards,
Lakshminath
My 2 cents,
Hormuzd
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf