Yoshihiro Ohba wrote:
I think Vidya has a good point.
My opinion is that, bootstrapping protocols from long-term
credentials used for network access authentication is not such a bad
idea, but we just do not know yet the best way to realize it:
Such bootstrapping or "single sign-on" protocol could (and IMHO
should) still be independent of the link it's run over (i.e., it
would work over any IP network).
BTW, 3GPP and 3GPP2 already have one such a "single sign-on" protocol,
which uses the same long-term credential you'd usually use for network
access authentication to set up short-term "security assocations" for
higher layer protocols (but it runs over any IP network, so it works
even if, e.g., your current access network did not require any
authentication). It's called "Generic Bootstrapping Architecture"
(GBA design also allows adding new types of credentials between the
client and the "key distribution center" (BSF) without impacting other
elements of the system. You could, e.g., add support for EAP here in a
way that would be independent of the link layer currently being used.
So far, 3GPP/3GPP2 have not needed this, but if GBA ends up being used
in other systems as well, it could be useful.)
IETF mailing list