ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: draft-williams-on-channel-binding (On the Use ofChannel Bindings to Secure Channels) to Proposed Standard

2007-04-12 12:28:46
from [Tom.Petch] [Permanent Link] 
<inline>
Tom Petch

----- Original Message -----
From: "Jeffrey Hutzelman" <jhutz(_at_)cmu(_dot_)edu>
To: "Randy Presuhn" <randy_presuhn(_at_)mindspring(_dot_)com>; "ietf" 
<ietf(_at_)ietf(_dot_)org>
Cc: "Jeffrey Hutzelman" <jhutz(_at_)cmu(_dot_)edu>
Sent: Wednesday, April 11, 2007 9:19 PM
Subject: Re: Last Call: draft-williams-on-channel-binding (On the Use ofChannel
Bindings to Secure Channels) to Proposed Standard





On Wednesday, April 11, 2007 12:09:24 PM -0700 Randy Presuhn
<randy_presuhn(_at_)mindspring(_dot_)com> wrote:


Hi -


From: "Tom.Petch" <sisyphus(_at_)dial(_dot_)pipex(_dot_)com>
To: "ietf" <ietf(_at_)ietf(_dot_)org>
Sent: Wednesday, April 11, 2007 10:43 AM
Subject: Re: Last Call: draft-williams-on-channel-binding (On the Use
ofChannel Bindings to Secure Channels) to Proposed Standard

...

Otherwise those who would benefit from it - isms, netconf, syslog, ... ?
- will not understand what they might do.  I appreciate that something
of this ilk has been around for a while (eg as when Ira McDonald pointed
the isms list at draft-puthenkulam-eap-binding-04.txt) but I think that
it got no traction because of its impenetrability.

...

In the isms WG, we were told that we could not use EAP.
http://www1.ietf.org/mail-archive/web/isms/current/msg00464.html


That's right; isms is outside of EAP's field of applicability.  But
draft-williams-on-channel-bindings is not specifically about EAP, but
rather about a general class of problems that arises when protected
communications channels are established independently of authentication,
and an approach and method for solving those problems, particularly within
the context of various authentication frameworks.

As it turns out, ISMS doesn't need to work about this class of problems
because the approach we chose uses SSH, which provides both authentication
and a protected channel in an integrated manner.  Now, if SSH for some
reason wanted to make use of a protected channel provided by TLS or, more
likely, IPsec, then it would need to worry about this class of problems,
and the solutions might well involve exposing new interfaces to ISMS and
other applications built on SSH.  But for the moment, that's not really an
issue.


Jeff

I agree that SSH does provide authentication but authentication of what and how
strong authentication?  I recall concern being expressed that the authentication
was of a low level engine when the application required authentication of a
higher layer entity; my recollection is of seeing this on several lists.

So I think that compound authentication may still be of value to isms, in the
future.

Tom Petch


-- Jeff

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings, Nicolas Williams
Next by Date:  Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings, Lakshminath Dondeti
Previous by Thread:  Re: Last Call: draft-williams-on-channel-binding (On the Use ofChannel Bindings to Secure Channels) to Proposed Standard, Jeffrey Hutzelman
Next by Thread:  Re: Last Call: draft-williams-on-channel-binding (On the Use of Channel Bindings to Secure Channels) to Proposed Standard, Lakshminath Dondeti
Indexes:  [Date] [Thread] [Top] [All Lists]