[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clarification of EAP authentication in IKEv2?



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Pasi" == Pasi Eronen <Pasi.Eronen@nokia.com> writes:
    Pasi> Recently, some people have interpreted the last sentence as "public
    Pasi> key signature based authentication of the responder MUST be used".

    Pasi> Another possible interpretation is that _typically_ the responder
    Pasi> is authenticated with public key signatures (for the reasons given
    Pasi> earlier in the paragraph), but other alternatives (such as EAP
    Pasi> method that provides mutual authentication, or even shared secret)
    Pasi> may be possible in some circumstances.

  An EAP method that provided mutual authentication would authenticate the
EAP authenticator, not the IKEv2 responder. 

  I do not think that we provided EAP<->IKEv2 channel bindings.

    Pasi> Personally, I support the latter interpretation; since otherwise
    Pasi> only initiator authentication is extensible, not responder (and I
  
  That's what most people want.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP+MhXoqHRg3pndX9AQHURAQA3nOKRg43xH/pOsicTgBqwRiTwfsj9s7m
mAefykaspCm9ve+VOm405RnUb7n+9i+10/7+k8dFsHrhaCbkfXcfufrgivfws+W6
42+F2Yh0nygq/w0ddvfZFhnpJ7NOPX0ZUAizTRCa0KR+LgDZ9JiGtiDxoitoeMe6
kVmlkCs8m7U=
=E65G
-----END PGP SIGNATURE-----