Yoshihiro Ohba wrote: > I think Vidya has a good point. > > My opinion is that, bootstrapping protocols from long-term > credentials used for network access authentication is not such a bad > idea, but we just do not know yet the best way to realize it: > > http://user.informatik.uni-goettingen.de/~mobiarch/2007/slides > /mobiarch07-panel-YoshiroOhba.pdf Such bootstrapping or "single sign-on" protocol could (and IMHO should) still be independent of the link it's run over (i.e., it would work over any IP network). BTW, 3GPP and 3GPP2 already have one such a "single sign-on" protocol, which uses the same long-term credential you'd usually use for network access authentication to set up short-term "security assocations" for higher layer protocols (but it runs over any IP network, so it works even if, e.g., your current access network did not require any authentication). It's called "Generic Bootstrapping Architecture" or GBA. (GBA design also allows adding new types of credentials between the client and the "key distribution center" (BSF) without impacting other elements of the system. You could, e.g., add support for EAP here in a way that would be independent of the link layer currently being used. So far, 3GPP/3GPP2 have not needed this, but if GBA ends up being used in other systems as well, it could be useful.) Best regards, Pasi _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf