On Thu, Mar 13, 2008 at 09:47:31PM -0700, Lakshminath Dondeti wrote: > Let us consider the opposite situation. Let us say the hotel network > uses EAP for authentication and the hotel front desk gives the IETF > folks a scratch card with credentials. We then use the credentials for > authentication using 802.1X-EAP (example only). The hotel or an > associated third party also offers some services/applications and wants > to provide them for free for the IETF folks. However the hotel does not > want to share the credentials with the third party server. Sure, the > hotel may not make this facility of key management for all application > providers out there and this mechanism is not useful for general purpose > application access. Why would we force the hotel to provide multiple > sets of credentials for each additional service/application that they > want to provide? OK, let's take this example as a thought experiment. Where are the applications going to come from? In general, getting application vendors to ship clients which implement any kind of security code has been like pulling teeth. We've been mildly successful with TLS/SSL and in certain very specific cases (i.e., https and mail applications). Something esoteric that only works on networks that happen to provide EAP keying will be such a small part of the market that getting wide availability such applications is going to be, um, difficult. So that basically means that the hotel is going to have to provide the applications which use this hotel-specific service. Training users that, no really, it's OK to download applications from random hotels and installing it on their corporate laptops is something which I'm *sure* the I/T departments will treat with special joy --- and by joy, I mean fear and loathing. :-) Certainly from a corporate perspective, applications which can't work on home networks (that may not use EAP at all, or in any case, if they have EAP, are coming from an untrusted home Linksys/D-Link/whatever "router"), is going to be at all interesting. And from a security perspective, would certainly violate the end-to-end principle. So aside from applications which are very much tied to the local network --- i.e., network access protocols, maybe as a way of securing a response from a dhcp server, etc. --- I'm not sure for which applications an EAP based key would make any sense at all. - Ted _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf