Re: last call comments on the mapping documents

[Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>]

On Wed, Mar 09, 2005 at 03:54:35PM -0600, Eliot Lear wrote:

> >d) Section 1.1:
> >
> >    The SASL profile used by BEEP allows for a simple and direct mapping
> >    to the existing security model for CLI, while TLS provides a strong
> >    well tested encryption mechanism with either server or server and
> >    client-side authentication.
> >
> >   I learned in the ISMS WG that SASL over TLS is not necessarily
> >   secure. Has beep fixed this problem or do we better explain the
> >   issue here and/or in the security considerations section?
> 
> Can you please elaborate?  I can envision problems where if client-side 
> certificates are in use and EXTERNAL SASL was in play.  Is that what you 
> are referring to?  Wes would you care to comment?

My understanding is that common SASL usage in combination with TLS 
lacks a cryptographic binding of the authentication exchange with 
the underlying secure transport. Wes surely can explain that better
than I can do. I am just wondering whether BEEP "suffers" from the
same problem or not.

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>