Re: security paper on tunneled authentication

I agree. That's why I was thinking that adding a reference that makes
implementers aware of this problem would be a good idea. Then they can
make an educated decision about whether they want to implement
additional mitigation techniques (i.e. enforce policies) or to not use
password-based inner methods.

> -----Original Message-----
> From: Alan DeKok [mailto:aland <at> deployingradius.com]
> Sent: Wednesday, September 01, 2010 9:34 AM
> To: Hoeper Katrin-QWKN37
> Cc: Glen Zorn; Bernard Aboba; emu <at> ietf.org
> Subject: Re: [Emu] security paper on tunneled authentication
> 
> Hoeper Katrin-QWKN37 wrote:
> > I will check the current draft for conflicts and, if necessary,
propose
> > changes.
> 
>   I think that the main issue with the draft is that it requires
> tunneled methods to allow for password authentication.  Your analysis
> paper says that password methods cannot be made resistant to these
attacks.
> 
>   If that is right, then I don't think there is anything to do in the
> draft.
> 
>   Alan DeKok.