Some additional context... my original assumption was that it would be reasonable to require the user to select a trust anchor for the TLS-based EAP methods that we've been expecting to use, as per conventional 802.1X/802.11i supplicants.
The UI/UX designers claim (and I am sympathetic to this, given our experiences with supplicants) that this is a poor usability experience.
I assumed that we could side-step this by using one of the PSK based EAP methods, but each of these have some drawbacks (primarily poor resistance to dictionary attack). The strongest candidate is EAP-EKE, but the current spec does not support anonymity or pseudonymity (although the spec explains that this would be a reasonable extension to the existing protocol). Patches for EAP-EKE are available for wpa_supplicant and FreeRADIUS.
So, it might be worthwhile considering what methods we actually want to expose to the user, because of the UI/UX implications.
In the case of the TLS-based methods, I assume that for (1) and (2), our options are essentially constrained by libeap?
Josh.
> We've been discussing that the UI needs to look at certificate choice
> somehow but I don't think we've thought through the implications.
>
> First, certificate selection is critical to security. We've been
> talking
> about how EAP CB is what we need. However, I think today, the code will
> hapilly send your password (or at least an md5 of it) to any remote eap
> server.
> So, we definitely need both CB and some sort of certificate validation
> in order to be secure.
>
> There are a lot of basic questions:
>
> 1) ARe we managing trust anchors with traditional RFC 5280 validation,
> fingerprint of keys, or fingerprint of certs?
>
> 2) Are we performing leap of faith (is this one OK first time) or
> install-at-ID creation time.
>
> 3) howe does this interact with the case where the application supplies
> a new NAI and password into gss_acquire_creds_with_password?
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
|