Re: [kitten] [saag] HTTP authentication: the next generation

Yaron Sheffer wrote:

> Hi Luke,
>
> I am not a big fan of EAP myself (although I am a co-author on Yoav's 
> TLS-EAP), but no, for pragmatic reasons SASL is not the moral equivalent.
>
> There is a number of EAP methods that provide zero-knowledge password 
> based mutual authentication (i.e. password based auth that's *not* 
> susceptible to dictionary attacks). These include (see 
> http://www.iana.org/assignments/eap-numbers/eap-numbers.xml#eap-numbers-3): 
> EAP-SRP-SHA1, EAP-pwd, EAP-EKE and EAP-SPEKE.
>
> As far as I can see 
> (http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml), 
> SASL does not provide any equivalent method.

There is an expired SASL SRP draft, which can be revived, if needed.

> Thanks,
>     Yaron
>
> On 12/12/2010 03:38 AM, Luke Howard wrote:
>
>> On 12/12/2010, at 10:10 AM, Yoav Nir wrote:
>>
>>> On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote:
>>>
>>>> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote:
>>>>
>>>>> Other than that, I'm not aware of much activity. What have I missed?
>>>>
>>>>
>>>> TLS client certificates.
>>>
>>>
>>> TLS client certificates work, but as we've learned both with the web 
>>> and with IPsec clients, people would much rather not use them. A few 
>>> IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS 
>>> with EAP authentication.
>>>
>>> http://tools.ietf.org/html/draft-nir-tls-eap
>>
>>
>> Does draft-williams-tls-app-sasl-opt-04.txt + abfab get you the moral 
>> equivalent?
>>
>> -- Luke
>

Received on Sunday, 12 December 2010 14:11:12 UTC