[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Clarification of EAP authentication in IKEv2?
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Pasi" == Pasi Eronen <Pasi.Eronen@nokia.com> writes:
Pasi> Recently, some people have interpreted the last sentence as "public
Pasi> key signature based authentication of the responder MUST be used".
Pasi> Another possible interpretation is that _typically_ the responder
Pasi> is authenticated with public key signatures (for the reasons given
Pasi> earlier in the paragraph), but other alternatives (such as EAP
Pasi> method that provides mutual authentication, or even shared secret)
Pasi> may be possible in some circumstances.
An EAP method that provided mutual authentication would authenticate the
EAP authenticator, not the IKEv2 responder.
I do not think that we provided EAP<->IKEv2 channel bindings.
Pasi> Personally, I support the latter interpretation; since otherwise
Pasi> only initiator authentication is extensible, not responder (and I
That's what most people want.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBP+MhXoqHRg3pndX9AQHURAQA3nOKRg43xH/pOsicTgBqwRiTwfsj9s7m
mAefykaspCm9ve+VOm405RnUb7n+9i+10/7+k8dFsHrhaCbkfXcfufrgivfws+W6
42+F2Yh0nygq/w0ddvfZFhnpJ7NOPX0ZUAizTRCa0KR+LgDZ9JiGtiDxoitoeMe6
kVmlkCs8m7U=
=E65G
-----END PGP SIGNATURE-----