[Top] [All Lists]

Re: EAP applicability (Was: Re: IETF Last Call on Walled Garden Standard for the Internet)

2008-03-14 06:18:12
On Thu, Mar 13, 2008 at 09:47:31PM -0700, Lakshminath Dondeti wrote:
Let us consider the opposite situation.  Let us say the hotel network 
uses EAP for authentication and the hotel front desk gives the IETF 
folks a scratch card with credentials.  We then use the credentials for 
authentication using 802.1X-EAP (example only).  The hotel or an 
associated third party also offers some services/applications and wants 
to provide them for free for the IETF folks.  However the hotel does not 
want to share the credentials with the third party server.  Sure, the 
hotel may not make this facility of key management for all application 
providers out there and this mechanism is not useful for general purpose 
application access.  Why would we force the hotel to provide multiple 
sets of credentials for each additional service/application that they 
want to provide?

OK, let's take this example as a thought experiment.  Where are the
applications going to come from?  In general, getting application
vendors to ship clients which implement any kind of security code has
been like pulling teeth.  We've been mildly successful with TLS/SSL
and in certain very specific cases (i.e., https and mail

Something esoteric that only works on networks that happen to provide
EAP keying will be such a small part of the market that getting wide
availability such applications is going to be, um, difficult.  So that
basically means that the hotel is going to have to provide the
applications which use this hotel-specific service.  Training users
that, no really, it's OK to download applications from random hotels
and installing it on their corporate laptops is something which I'm
*sure* the I/T departments will treat with special joy --- and by joy,
I mean fear and loathing.  :-)

Certainly from a corporate perspective, applications which can't work
on home networks (that may not use EAP at all, or in any case, if they
have EAP, are coming from an untrusted home Linksys/D-Link/whatever
"router"), is going to be at all interesting.  And from a security
perspective, would certainly violate the end-to-end principle.

So aside from applications which are very much tied to the local
network --- i.e., network access protocols, maybe as a way of securing
a response from a dhcp server, etc. --- I'm not sure for which
applications an EAP based key would make any sense at all.

                                                   - Ted
IETF mailing list

<Prev in Thread] Current Thread [Next in Thread>