<inline> Tom Petch ----- Original Message ----- From: "Jeffrey Hutzelman" <jhutz@xxxxxxx> To: "Randy Presuhn" <randy_presuhn@xxxxxxxxxxxxxx>; "ietf" <ietf@xxxxxxxx> Cc: "Jeffrey Hutzelman" <jhutz@xxxxxxx> Sent: Wednesday, April 11, 2007 9:19 PM Subject: Re: Last Call: draft-williams-on-channel-binding (On the Use ofChannel Bindings to Secure Channels) to Proposed Standard > > > On Wednesday, April 11, 2007 12:09:24 PM -0700 Randy Presuhn > <randy_presuhn@xxxxxxxxxxxxxx> wrote: > > > Hi - > > > >> From: "Tom.Petch" <sisyphus@xxxxxxxxxxxxxx> > >> To: "ietf" <ietf@xxxxxxxx> > >> Sent: Wednesday, April 11, 2007 10:43 AM > >> Subject: Re: Last Call: draft-williams-on-channel-binding (On the Use > >> ofChannel Bindings to Secure Channels) to Proposed Standard > > ... > >> Otherwise those who would benefit from it - isms, netconf, syslog, ... ? > >> - will not understand what they might do. I appreciate that something > >> of this ilk has been around for a while (eg as when Ira McDonald pointed > >> the isms list at draft-puthenkulam-eap-binding-04.txt) but I think that > >> it got no traction because of its impenetrability. > > ... > > > > In the isms WG, we were told that we could not use EAP. > > http://www1.ietf.org/mail-archive/web/isms/current/msg00464.html > > That's right; isms is outside of EAP's field of applicability. But > draft-williams-on-channel-bindings is not specifically about EAP, but > rather about a general class of problems that arises when protected > communications channels are established independently of authentication, > and an approach and method for solving those problems, particularly within > the context of various authentication frameworks. > > As it turns out, ISMS doesn't need to work about this class of problems > because the approach we chose uses SSH, which provides both authentication > and a protected channel in an integrated manner. Now, if SSH for some > reason wanted to make use of a protected channel provided by TLS or, more > likely, IPsec, then it would need to worry about this class of problems, > and the solutions might well involve exposing new interfaces to ISMS and > other applications built on SSH. But for the moment, that's not really an > issue. > Jeff I agree that SSH does provide authentication but authentication of what and how strong authentication? I recall concern being expressed that the authentication was of a low level engine when the application required authentication of a higher layer entity; my recollection is of seeing this on several lists. So I think that compound authentication may still be of value to isms, in the future. Tom Petch > -- Jeff > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www1.ietf.org/mailman/listinfo/ietf _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf