From hartmans@mit.edu Fri Jun 1 06:47:24 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5429211E821D for ; Fri, 1 Jun 2012 06:47:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.25 X-Spam-Level: X-Spam-Status: No, score=-103.25 tagged_above=-999 required=5 tests=[AWL=-0.985, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HLZaS+npyfDa for ; Fri, 1 Jun 2012 06:47:24 -0700 (PDT) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id D0BC411E8215 for ; Fri, 1 Jun 2012 06:47:23 -0700 (PDT) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id C141020378; Fri, 1 Jun 2012 09:47:18 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id B0CAA4151; Fri, 1 Jun 2012 09:47:19 -0400 (EDT) From: Sam Hartman To: zhou.sujing@zte.com.cn References: Date: Fri, 01 Jun 2012 09:47:19 -0400 In-Reply-To: (zhou sujing's message of "Fri, 1 Jun 2012 10:11:48 +0800") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: emu@ietf.org Subject: Re: [Emu] reference Information about channel binding and crypto binding X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2012 13:47:24 -0000 >>>>> "zhou" == zhou sujing writes: zhou> 3. also in rfc 5247 zhou> TEKs are output from EAP methods and were designed to zhou> secure the channel, couldn't they be used in channel binding zhou> or crypto binding? TEKs can and typically will be used for channel binding. Certainly the work we've done in Moonshot for TTLS and the work proposed for TEAP effectively uses a TEK (in RFC 5247's terminology) for channel binding. TEKs are inappropriate for crypto binding because they are not exported from an EAP method and so cannot be used to generate a compound key. From jsalowey@cisco.com Tue Jun 5 11:05:13 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0359821F861E for ; Tue, 5 Jun 2012 11:05:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.599 X-Spam-Level: X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0CJE9uE9ssSp for ; Tue, 5 Jun 2012 11:05:12 -0700 (PDT) Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 35E9921F8615 for ; Tue, 5 Jun 2012 11:05:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jsalowey@cisco.com; l=2303; q=dns/txt; s=iport; t=1338919512; x=1340129112; h=mime-version:subject:from:in-reply-to:date: content-transfer-encoding:message-id:references:to; bh=pFSFF0HPn2P2I3frFUzzsGcyU925sH3s3CHHwrBm3+g=; b=GIRUCrrIGKBvrhUkvzMHUKjd23j/8t2FgqfDm0Omi3O7EbFejaFQi3Lw ufJ0PQdD/gb/k2GY4fDuz82Rv7Ic/3bxewJrcpCqcB+Ap7q9ccxJxh2O6 Nxm48Mh4qmK3xqHgO9rkss50Hvcv9APp3xXYygp537Iff+SE7QTQA3sqP I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EAEhJzk+rRDoH/2dsb2JhbABFtDyBB4IYAQEBAwEBAQEPASc0EAsLEQMBAi8nKAgZCRmHZAQMlx+gBYsTgnqCNmADiECMW4VQiECBZoMA X-IronPort-AV: E=Sophos;i="4.75,719,1330905600"; d="scan'208";a="47766732" Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-2.cisco.com with ESMTP; 05 Jun 2012 18:05:12 +0000 Received: from [10.33.248.203] ([10.33.248.203]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q55I5Bkl022723 for ; Tue, 5 Jun 2012 18:05:11 GMT Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1278) From: Joe Salowey In-Reply-To: Date: Tue, 5 Jun 2012 11:05:11 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <7E016FDC-A12A-42B7-BE6C-6BDA8DF71878@cisco.com> References: <20120515153614.23260.30775.idtracker@ietfa.amsl.com> To: emu@ietf.org X-Mailer: Apple Mail (2.1278) Subject: Re: [Emu] [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2012 18:05:13 -0000 June 4 has come and gone and we haven't received any comments. If you = have reviewed the document and not found any issues please indicate that = on the list. I'll leave the review open until 6/12. If you can commit = to review the document, please let me know. =20 Thanks, Joe On May 21, 2012, at 2:01 PM, Joe Salowey wrote: > The NEA working group has produced a draft for carrying NEA posture = methods within EAP. It would be helpful if some EMU working group = members reviewed the draft. Please send your comments to the EMU list = by June 4, 2012. >=20 > Thanks, >=20 > Joe >=20 > Begin forwarded message: >=20 >> From: internet-drafts@ietf.org >> Date: May 15, 2012 8:36:14 AM PDT >> To: i-d-announce@ietf.org >> Cc: nea@ietf.org >> Subject: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt >>=20 >>=20 >> A New Internet-Draft is available from the on-line Internet-Drafts = directories. This draft is a work item of the Network Endpoint = Assessment Working Group of the IETF. >>=20 >> Title : PT-EAP: Posture Transport (PT) Protocol For = EAP Tunnel Methods >> Author(s) : Nancy Cam-Winget >> Paul Sangster >> Filename : draft-ietf-nea-pt-eap-02.txt >> Pages : 20 >> Date : 2012-05-15 >>=20 >> This document specifies PT-EAP, an EAP based Posture Transport (PT) >> protocol designed to be used only inside a TLS protected tunnel >> method. The document also describes the intended applicability of >> PT-EAP. >>=20 >>=20 >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt >>=20 >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >>=20 >> This Internet-Draft can be retrieved at: >> ftp://ftp.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt >>=20 >> The IETF datatracker page for this Internet-Draft is: >> https://datatracker.ietf.org/doc/draft-ietf-nea-pt-eap/ >>=20 >> _______________________________________________ >> Nea mailing list >> Nea@ietf.org >> https://www.ietf.org/mailman/listinfo/nea >=20 > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu From zhou.sujing@zte.com.cn Wed Jun 6 02:18:49 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BE2421F886E for ; Wed, 6 Jun 2012 02:18:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.424 X-Spam-Level: X-Spam-Status: No, score=-96.424 tagged_above=-999 required=5 tests=[AWL=1.211, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_DOUBLE_IP_LOOSE=0.76, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hY8y07jcQI08 for ; Wed, 6 Jun 2012 02:18:48 -0700 (PDT) Received: from mx5.zte.com.cn (mx6.zte.com.cn [95.130.199.165]) by ietfa.amsl.com (Postfix) with ESMTP id 75ACC21F86AA for ; Wed, 6 Jun 2012 02:18:47 -0700 (PDT) Received: from [10.30.17.100] by mx5.zte.com.cn with surfront esmtp id 286201794749335; Wed, 6 Jun 2012 17:17:49 +0800 (CST) Received: from [10.30.3.21] by [192.168.168.16] with StormMail ESMTP id 97084.3144591867; Wed, 6 Jun 2012 17:18:33 +0800 (CST) Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id q569ISHZ087502; Wed, 6 Jun 2012 17:18:28 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn) In-Reply-To: <7E016FDC-A12A-42B7-BE6C-6BDA8DF71878@cisco.com> To: Joe Salowey MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007 Message-ID: From: zhou.sujing@zte.com.cn Date: Wed, 6 Jun 2012 17:18:22 +0800 X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2012-06-06 17:18:31, Serialize complete at 2012-06-06 17:18:31 Content-Type: multipart/alternative; boundary="=_alternative 003318BF48257A15_=" X-MAIL: mse02.zte.com.cn q569ISHZ087502 Cc: emu@ietf.org Subject: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 09:18:49 -0000 This is a multipart message in MIME format. --=_alternative 003318BF48257A15_= Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: base64 U2VjdGlvbiAxDQoiVGhlIG90aGVyIHR5cGUgb2YgIFBULCBQVC1UTFMgW0ktRC5pZXRmLW5lYS1w dC10bHNdLCBvcGVyYXRlcyBiZWZvcmUgdGhlIA0KZW5kcG9pbnQgZ2FpbnMNCiAgIGFueSBhY2Nl c3MgdG8gdGhlIElQIG5ldHdvcmsuICINCj09PnNob3VsZCBiZSAiYWZ0ZXIgdGhlIGVuZHBvaW50 IGhhdmUgZ2FpbmVkIGFjY2VzcyB0byB0aGUgSVAgbmV0d29yayINCg0KIlBULUVBUCBpcyBhbiBp bm5lciBFQVAgW1JGQzM3NDhdIG1ldGhvZCBkZXNpZ25lZCB0byBiZSB1c2VkIHVuZGVyIGENCiAg IHByb3RlY3RlZCB0dW5uZWwgc3VjaCBhcyBURUFQIFtJLUQuaWV0Zi1lbXUtZWFwLXR1bm5lbC1t ZXRob2RdLCBFQVAtDQogICBGQVNUIFtSRkM0ODUxXSBvciBFQVAtVFRMUyBbUkZDNTI4MV0uIg0K PT0+UEVBUCBpcyBtb3JlIHdpZGVseSBzdXBwb3J0ZWQuDQoNCg0KIkZpbmFsbHksIGl0IGRlc2Ny aWJlcyBob3cgdGhlICB0bHMtdW5pcXVlIGNoYW5uZWwgYmluZGluZyBbUkZDNTkyOV0gbWF5IA0K YmUgdXNlZCB0byBQQS1UTkMgZXhjaGFuZ2VzDQogICB0byB0aGUgRUFQIHR1bm5lbCBtZXRob2Qs IGRlZmVhdGluZyBNSVRNIGF0dGFja3Mgc3VjaCBhcyB0aGUgQXNva2FuIA0KYXR0YWNrIFtBc29r YW5dLiINCj09Pg0KIA0KDQoiU29tZSBFQVAgdHVubmVsIG1ldGhvZHMgbWF5IHByb3ZpZGUgZXhw bGljaXQgY29uZmlybWF0aW9uIG9mIGlubmVyIG1ldGhvZCANCnN1Y2Nlc3M7IG90aGVycyBtYXkg bm90LiAiDQoNCg0Kc2VjdGlvbiAzLjQgIiBBdHRhY2sgQW5hbHlzaXMgWzE2XSwgIiB0aGUgcmVm ZXJlbmNlIFsxNl0gDQoNCnNlY3Rpb24gNC4yLjMNCiJUaGUgc3Ryb25nIGludGVncml0eSBwcm90 ZWN0aW9ucyAoaGFzaGluZykgb2ZmZXJlZCBieSBFQVAtVFRMUyBhbGxvd3MgdGhlDQogICBQVC1F QVAgbWVzc2FnZSByZWNpcGllbnRzIHRvIGRldGVjdCBtZXNzYWdlIGFsdGVyYXRpb25zIGJ5IG90 aGVyDQogICB0eXBlcyBvZiBuZXR3b3JrIGJhc2VkIGFkdmVyc2FyaWVzLiAiDQo9PT0+aXQgaXMg bm90IGhhc2hpbmcgb2ZmZXJpbmcgdGhlIGludGVncml0eSwgYnV0IE1BQw0Kc2VjdGlvbiA0LjIu NA0KIiB0aGUgIHNlc3Npb24gY2FuIGJlIGVuY3J5cHRlZCBhbmQgaGFzaGVkIHRvIHByZXZlbnQg dW5kZXRlY3RlZA0KICAgbW9kaWZpY2F0aW9uIHRoYXQgY291bGQgY3JlYXRlIGEgZGVuaWFsIG9m IHNlcnZpY2Ugc2l0dWF0aW9uLg0KIg0KPT09PiBvbmx5IE1BQywgbm90IGVuY3J5cHRpb24gYW5k IGhhc2hpbmcgY2FuIHByZXZlbnQgbW9kaWZpY2F0aW9uDQoNCnNlY3Rpb24gNC4zDQogICJUaGUg cGhhc2UgdHdvIGRpYWxvZyBtYXkgaW5jbHVkZSBhdXRoZW50aWNhdGlvbiBvZiB0aGUgdXNlciBi eSBkb2luZw0KICAgb3RoZXIgRUFQIG1ldGhvZHMgb3IgaW4gdGhlIGNhc2Ugb2YgVFRMUyBieSB1 c2luZyBub24tRUFQDQogICBhdXRoZW50aWNhdGlvbiBkaWFsb2dzLiAgUFQtRUFQIGlzIGFsc28g Y2FycmllZCBieSB0aGUgcGhhc2UgdHdvDQogICB0dW5uZWwgYWxsb3dpbmcgdGhlIE5FQSBhc3Nl c3NtZW50IHRvIGJlIHdpdGhpbiBhbiBlbmNyeXB0ZWQgYW5kDQogICBpbnRlZ3JpdHkgcHJvdGVj dGVkIHRyYW5zcG9ydC4iDQo9PT4gVFRMUyBjYW4gYWxzbyB1c2UgRUFQIG1ldGhvZCBhcyBpbm5l ciBtZXRob2QuDQogDQoNCiJUaGVzZSBpbm5lciBtZXRob2RzIG1heSBwZXJmb3JtIGFkZGl0aW9u YWwgc2VjdXJpdHkgaGFuZHNoYWtlcyBpbmNsdWRpbmcgDQptb3JlDQogICBncmFudWxhciBhdXRo ZW50aWNhdGlvbnMgb3IgZXhjaGFuZ2VzIG9mIGludGVncml0eSBpbmZvcm1hdGlvbiAoc3VjaA0K ICAgYXMgUFQtRUFQLikgICINCj09PT4gSU1Po6xQVC1FQVAgYmV0dGVyIGJlIGV4Y2hhbmdlZCBh ZnRlciB0aGUgcGhhc2UgdHdvIG9mIHRoZSBFQVAgdHVubmVsIA0KbWV0aG9kLCBzbyB0aGF0DQog dGhlIHJlc3VsdGVkIGtleSBkZXJpdmVkIGZyb20gdHVubmVsIGFuZCBpbm5lciBhdXRoZW50aWNh dGlvbiBtZXRob2QgY2FuIA0KYmUgdXNlZCB0byBwcm90ZWN0IGl0LiANCg0Kc2VjdGlvbiA1DQog ICJUbyBzdXBwb3J0IGNvdW50ZXJtZWFzdXJlcyBhZ2FpbnN0IE5FQSBBc29rYW4gYXR0YWNrcyBh cyBkZXNjcmliZWQgaW4NCiAgIFNlY3Rpb24gMy40LCB0aGUgRUFQIFR1bm5lbCBNZXRob2QgdXNl ZCB3aXRoIFBULUVBUCB3aWxsIG5lZWQgdG8NCiAgIHN1cHBvcnQgdGhlIHRscy11bmlxdWUgY2hh bm5lbCBiaW5kaW5nLiAgVGhpcyBzaG91bGQgbm90IGJlIGEgaGlnaA0KICAgYmFyIHNpbmNlIGFs bCBFQVAgdHVubmVsIG1ldGhvZHMgY3VycmVudGx5IHN1cHBvcnQgdGhpcyBidXQgbm90IGFsbA0K ICAgaW1wbGVtZW50YXRpb25zIG9mIHRob3NlIG1ldGhvZHMgbWF5IGRvIHNvLiINCj09PT0+IEl0 IHNlZW0gbm8gY3VycmVudCBFQVAgdHVubmVsIHN1cHBvcnQgdGxzLXVuaXF1ZSBub3cuDQogIEFu ZCBBc29rYW4gTWl0TSBhdHRhY2sgaXMgY291bnRlcmVkIGJ5IGNyeXB0byBiaW5kaW5nLCB3aGVy ZSB0dW5uZWwgDQptZXRob2QgaXMgYm91bmQgd2l0aCBpbm5lciBtZXRob2QuDQogIFdoaWxlIFRM Uy11bmlxdWUgaXMgbGltaXRlZCB0byB0aGUgdHVubmVsIG1ldGhvZCB0byBwcm92aWRlIGJpbmRp bmcgDQpiZXR3ZWVuIFRMUyBhbmQgYXBwbGljYXRpb24sIEkgd29uZGVyIA0KICBpZiB0aGVyZSBp cyBzb21lIGNvbmZ1c2lvbiBpbiB0aGUgZG9jdW1lbnQuIA0KIA0KDQpSZWdhcmRzfn5+DQoNCi1T dWppbmcgWmhvdQ0KDQoNCg0KSm9lIFNhbG93ZXkgPGpzYWxvd2V5QGNpc2NvLmNvbT4gDQq3orz+ yMs6ICBlbXUtYm91bmNlc0BpZXRmLm9yZw0KMjAxMi0wNi0wNiAwMjowNQ0KDQrK1bz+yMsNCmVt dUBpZXRmLm9yZw0Ks63LzQ0KDQrW98ziDQpSZTogW0VtdV0gW05lYV0gSS1EIEFjdGlvbjogZHJh ZnQtaWV0Zi1uZWEtcHQtZWFwLTAyLnR4dA0KDQoNCg0KDQoNCg0KSnVuZSA0IGhhcyBjb21lIGFu ZCBnb25lIGFuZCB3ZSBoYXZlbid0IHJlY2VpdmVkIGFueSBjb21tZW50cy4gIElmIHlvdSANCmhh dmUgcmV2aWV3ZWQgdGhlIGRvY3VtZW50IGFuZCBub3QgZm91bmQgYW55IGlzc3VlcyBwbGVhc2Ug aW5kaWNhdGUgdGhhdCANCm9uIHRoZSBsaXN0LiAgSSdsbCBsZWF2ZSB0aGUgcmV2aWV3IG9wZW4g dW50aWwgNi8xMi4gIElmIHlvdSBjYW4gY29tbWl0IHRvIA0KcmV2aWV3IHRoZSBkb2N1bWVudCwg cGxlYXNlIGxldCBtZSBrbm93LiANCg0KVGhhbmtzLA0KDQpKb2UNCk9uIE1heSAyMSwgMjAxMiwg YXQgMjowMSBQTSwgSm9lIFNhbG93ZXkgd3JvdGU6DQoNCj4gVGhlIE5FQSB3b3JraW5nIGdyb3Vw IGhhcyBwcm9kdWNlZCBhIGRyYWZ0IGZvciBjYXJyeWluZyBORUEgcG9zdHVyZSANCm1ldGhvZHMg d2l0aGluIEVBUC4gIEl0IHdvdWxkIGJlIGhlbHBmdWwgaWYgc29tZSBFTVUgd29ya2luZyBncm91 cCBtZW1iZXJzIA0KcmV2aWV3ZWQgdGhlIGRyYWZ0LiAgIFBsZWFzZSBzZW5kIHlvdXIgY29tbWVu dHMgdG8gdGhlIEVNVSBsaXN0IGJ5IEp1bmUgNCwgDQoyMDEyLg0KPiANCj4gVGhhbmtzLA0KPiAN Cj4gSm9lDQo+IA0KPiBCZWdpbiBmb3J3YXJkZWQgbWVzc2FnZToNCj4gDQo+PiBGcm9tOiBpbnRl cm5ldC1kcmFmdHNAaWV0Zi5vcmcNCj4+IERhdGU6IE1heSAxNSwgMjAxMiA4OjM2OjE0IEFNIFBE VA0KPj4gVG86IGktZC1hbm5vdW5jZUBpZXRmLm9yZw0KPj4gQ2M6IG5lYUBpZXRmLm9yZw0KPj4g U3ViamVjdDogW05lYV0gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1uZWEtcHQtZWFwLTAyLnR4dA0K Pj4gDQo+PiANCj4+IEEgTmV3IEludGVybmV0LURyYWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBv bi1saW5lIEludGVybmV0LURyYWZ0cyANCmRpcmVjdG9yaWVzLiBUaGlzIGRyYWZ0IGlzIGEgd29y ayBpdGVtIG9mIHRoZSBOZXR3b3JrIEVuZHBvaW50IEFzc2Vzc21lbnQgDQpXb3JraW5nIEdyb3Vw IG9mIHRoZSBJRVRGLg0KPj4gDQo+PiAgICAgICAgICAgICAgIFRpdGxlICAgICAgICAgICA6IFBU LUVBUDogUG9zdHVyZSBUcmFuc3BvcnQgKFBUKSBQcm90b2NvbCANCkZvciBFQVAgVHVubmVsIE1l dGhvZHMNCj4+ICAgICAgICAgICAgICAgQXV0aG9yKHMpICAgICAgIDogTmFuY3kgQ2FtLVdpbmdl dA0KPj4gICAgICAgICAgICAgICAgICAgICAgICAgUGF1bCBTYW5nc3Rlcg0KPj4gICAgICAgICAg ICAgICBGaWxlbmFtZSAgICAgICAgOiBkcmFmdC1pZXRmLW5lYS1wdC1lYXAtMDIudHh0DQo+PiAg ICAgICAgICAgICAgIFBhZ2VzICAgICAgICAgICA6IDIwDQo+PiAgICAgICAgICAgICAgIERhdGUg ICAgICAgICAgICA6IDIwMTItMDUtMTUNCj4+IA0KPj4gIFRoaXMgZG9jdW1lbnQgc3BlY2lmaWVz IFBULUVBUCwgYW4gRUFQIGJhc2VkIFBvc3R1cmUgVHJhbnNwb3J0IChQVCkNCj4+ICBwcm90b2Nv bCBkZXNpZ25lZCB0byBiZSB1c2VkIG9ubHkgaW5zaWRlIGEgVExTIHByb3RlY3RlZCB0dW5uZWwN Cj4+ICBtZXRob2QuICBUaGUgZG9jdW1lbnQgYWxzbyBkZXNjcmliZXMgdGhlIGludGVuZGVkIGFw cGxpY2FiaWxpdHkgb2YNCj4+ICBQVC1FQVAuDQo+PiANCj4+IA0KPj4gQSBVUkwgZm9yIHRoaXMg SW50ZXJuZXQtRHJhZnQgaXM6DQo+PiBodHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0 cy9kcmFmdC1pZXRmLW5lYS1wdC1lYXAtMDIudHh0DQo+PiANCj4+IEludGVybmV0LURyYWZ0cyBh cmUgYWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDoNCj4+IGZ0cDovL2Z0cC5pZXRm Lm9yZy9pbnRlcm5ldC1kcmFmdHMvDQo+PiANCj4+IFRoaXMgSW50ZXJuZXQtRHJhZnQgY2FuIGJl IHJldHJpZXZlZCBhdDoNCj4+IGZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJh ZnQtaWV0Zi1uZWEtcHQtZWFwLTAyLnR4dA0KPj4gDQo+PiBUaGUgSUVURiBkYXRhdHJhY2tlciBw YWdlIGZvciB0aGlzIEludGVybmV0LURyYWZ0IGlzOg0KPj4gaHR0cHM6Ly9kYXRhdHJhY2tlci5p ZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1uZWEtcHQtZWFwLw0KPj4gDQo+PiBfX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPj4gTmVhIG1haWxpbmcgbGlzdA0K Pj4gTmVhQGlldGYub3JnDQo+PiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv L25lYQ0KPiANCj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18NCj4gRW11IG1haWxpbmcgbGlzdA0KPiBFbXVAaWV0Zi5vcmcNCj4gaHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9lbXUNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18NCkVtdSBtYWlsaW5nIGxpc3QNCkVtdUBpZXRmLm9yZw0KaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9lbXUNCg0KDQoNCg== --=_alternative 003318BF48257A15_= Content-Type: text/html; charset="GB2312" Content-Transfer-Encoding: base64 DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPlNlY3Rpb24gMTwvZm9udD4NCjxi cj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+JnF1b3Q7VGhlIG90aGVyIHR5cGUgb2Yg Jm5ic3A7UFQsIFBULVRMUw0KW0ktRC5pZXRmLW5lYS1wdC10bHNdLCBvcGVyYXRlcyBiZWZvcmUg dGhlIGVuZHBvaW50IGdhaW5zPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNl cmlmIj4mbmJzcDsgJm5ic3A7YW55IGFjY2VzcyB0byB0aGUgSVAgbmV0d29yay4NCiZxdW90Ozwv Zm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+PT0mZ3Q7c2hvdWxkIGJl ICZxdW90O2FmdGVyIHRoZSBlbmRwb2ludA0KaGF2ZSBnYWluZWQgYWNjZXNzIHRvIHRoZSBJUCBu ZXR3b3JrJnF1b3Q7PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNl cmlmIj4mcXVvdDtQVC1FQVAgaXMgYW4gaW5uZXIgRUFQIFtSRkMzNzQ4XQ0KbWV0aG9kIGRlc2ln bmVkIHRvIGJlIHVzZWQgdW5kZXIgYTwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fu cy1zZXJpZiI+Jm5ic3A7ICZuYnNwO3Byb3RlY3RlZCB0dW5uZWwgc3VjaCBhcw0KVEVBUCBbSS1E LmlldGYtZW11LWVhcC10dW5uZWwtbWV0aG9kXSwgRUFQLTwvZm9udD4NCjxicj48Zm9udCBzaXpl PTIgZmFjZT0ic2Fucy1zZXJpZiI+Jm5ic3A7ICZuYnNwO0ZBU1QgW1JGQzQ4NTFdIG9yIEVBUC1U VExTDQpbUkZDNTI4MV0uJnF1b3Q7PC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5z LXNlcmlmIj49PSZndDtQRUFQIGlzIG1vcmUgd2lkZWx5IHN1cHBvcnRlZC48L2ZvbnQ+DQo8YnI+ DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPiZxdW90O0ZpbmFsbHks IGl0IGRlc2NyaWJlcyBob3cgdGhlDQombmJzcDt0bHMtdW5pcXVlIGNoYW5uZWwgYmluZGluZyBb UkZDNTkyOV0gbWF5IGJlIHVzZWQgdG8gUEEtVE5DIGV4Y2hhbmdlczwvZm9udD4NCjxicj48Zm9u dCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+Jm5ic3A7ICZuYnNwO3RvIHRoZSBFQVAgdHVubmVs IG1ldGhvZCwNCmRlZmVhdGluZyBNSVRNIGF0dGFja3Mgc3VjaCBhcyB0aGUgQXNva2FuICZuYnNw O2F0dGFjayBbQXNva2FuXS4mcXVvdDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNh bnMtc2VyaWYiPj09Jmd0OzwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJp ZiI+Jm5ic3A7PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlm Ij4mcXVvdDtTb21lIEVBUCB0dW5uZWwgbWV0aG9kcyBtYXkgcHJvdmlkZQ0KZXhwbGljaXQgY29u ZmlybWF0aW9uIG9mIGlubmVyIG1ldGhvZCBzdWNjZXNzOyBvdGhlcnMgbWF5IG5vdC4gJnF1b3Q7 PC9mb250Pg0KPGJyPg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlmIj5z ZWN0aW9uIDMuNCAmcXVvdDsgQXR0YWNrIEFuYWx5c2lzIFsxNl0sDQomcXVvdDsgdGhlIHJlZmVy ZW5jZSBbMTZdIDwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJp ZiI+c2VjdGlvbiA0LjIuMzwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJp ZiI+JnF1b3Q7VGhlIHN0cm9uZyBpbnRlZ3JpdHkgcHJvdGVjdGlvbnMNCihoYXNoaW5nKSBvZmZl cmVkIGJ5IEVBUC1UVExTIGFsbG93cyB0aGU8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 InNhbnMtc2VyaWYiPiZuYnNwOyAmbmJzcDtQVC1FQVAgbWVzc2FnZSByZWNpcGllbnRzDQp0byBk ZXRlY3QgbWVzc2FnZSBhbHRlcmF0aW9ucyBieSBvdGhlcjwvZm9udD4NCjxicj48Zm9udCBzaXpl PTIgZmFjZT0ic2Fucy1zZXJpZiI+Jm5ic3A7ICZuYnNwO3R5cGVzIG9mIG5ldHdvcmsgYmFzZWQN CmFkdmVyc2FyaWVzLiAmcXVvdDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMt c2VyaWYiPj09PSZndDtpdCBpcyBub3QgaGFzaGluZyBvZmZlcmluZyB0aGUNCmludGVncml0eSwg YnV0IE1BQzwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+c2VjdGlv biA0LjIuNDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+JnF1b3Q7 IHRoZSAmbmJzcDtzZXNzaW9uIGNhbiBiZSBlbmNyeXB0ZWQNCmFuZCBoYXNoZWQgdG8gcHJldmVu dCB1bmRldGVjdGVkPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlmIj4m bmJzcDsgJm5ic3A7bW9kaWZpY2F0aW9uIHRoYXQgY291bGQNCmNyZWF0ZSBhIGRlbmlhbCBvZiBz ZXJ2aWNlIHNpdHVhdGlvbi48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2Vy aWYiPiZxdW90OzwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+PT09 Jmd0OyBvbmx5IE1BQywgbm90IGVuY3J5cHRpb24gYW5kDQpoYXNoaW5nIGNhbiBwcmV2ZW50IG1v ZGlmaWNhdGlvbjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJp ZiI+c2VjdGlvbiA0LjM8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYi PiZuYnNwOyAmcXVvdDtUaGUgcGhhc2UgdHdvIGRpYWxvZyBtYXkNCmluY2x1ZGUgYXV0aGVudGlj YXRpb24gb2YgdGhlIHVzZXIgYnkgZG9pbmc8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 InNhbnMtc2VyaWYiPiZuYnNwOyAmbmJzcDtvdGhlciBFQVAgbWV0aG9kcyBvciBpbg0KdGhlIGNh c2Ugb2YgVFRMUyBieSB1c2luZyBub24tRUFQPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJzYW5zLXNlcmlmIj4mbmJzcDsgJm5ic3A7YXV0aGVudGljYXRpb24gZGlhbG9ncy4NCiZuYnNw O1BULUVBUCBpcyBhbHNvIGNhcnJpZWQgYnkgdGhlIHBoYXNlIHR3bzwvZm9udD4NCjxicj48Zm9u dCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+Jm5ic3A7ICZuYnNwO3R1bm5lbCBhbGxvd2luZyB0 aGUgTkVBDQphc3Nlc3NtZW50IHRvIGJlIHdpdGhpbiBhbiBlbmNyeXB0ZWQgYW5kPC9mb250Pg0K PGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlmIj4mbmJzcDsgJm5ic3A7aW50ZWdyaXR5 IHByb3RlY3RlZCB0cmFuc3BvcnQuJnF1b3Q7PC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJzYW5zLXNlcmlmIj49PSZndDsgVFRMUyBjYW4gYWxzbyB1c2UgRUFQIG1ldGhvZA0KYXMgaW5u ZXIgbWV0aG9kLjwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+Jm5i c3A7IDwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+JnF1 b3Q7VGhlc2UgaW5uZXIgbWV0aG9kcyBtYXkgcGVyZm9ybQ0KYWRkaXRpb25hbCBzZWN1cml0eSBo YW5kc2hha2VzIGluY2x1ZGluZyBtb3JlPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJz YW5zLXNlcmlmIj4mbmJzcDsgJm5ic3A7Z3JhbnVsYXIgYXV0aGVudGljYXRpb25zDQpvciBleGNo YW5nZXMgb2YgaW50ZWdyaXR5IGluZm9ybWF0aW9uIChzdWNoPC9mb250Pg0KPGJyPjxmb250IHNp emU9MiBmYWNlPSJzYW5zLXNlcmlmIj4mbmJzcDsgJm5ic3A7YXMgUFQtRUFQLikgJm5ic3A7JnF1 b3Q7PC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlmIj49PT0mZ3Q7IElN T6OsUFQtRUFQIGJldHRlciBiZSBleGNoYW5nZWQNCmFmdGVyIHRoZSBwaGFzZSB0d28gb2YgdGhl IEVBUCB0dW5uZWwgbWV0aG9kLCBzbyB0aGF0PC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJzYW5zLXNlcmlmIj4mbmJzcDt0aGUgcmVzdWx0ZWQga2V5IGRlcml2ZWQgZnJvbQ0KdHVubmVs IGFuZCBpbm5lciBhdXRoZW50aWNhdGlvbiBtZXRob2QgY2FuIGJlIHVzZWQgdG8gcHJvdGVjdCBp dC4gPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlmIj5zZWN0 aW9uIDU8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPiZuYnNwOyAm cXVvdDtUbyBzdXBwb3J0IGNvdW50ZXJtZWFzdXJlcw0KYWdhaW5zdCBORUEgQXNva2FuIGF0dGFj a3MgYXMgZGVzY3JpYmVkIGluPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNl cmlmIj4mbmJzcDsgJm5ic3A7U2VjdGlvbiAzLjQsIHRoZSBFQVAgVHVubmVsDQpNZXRob2QgdXNl ZCB3aXRoIFBULUVBUCB3aWxsIG5lZWQgdG88L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 InNhbnMtc2VyaWYiPiZuYnNwOyAmbmJzcDtzdXBwb3J0IHRoZSB0bHMtdW5pcXVlDQpjaGFubmVs IGJpbmRpbmcuICZuYnNwO1RoaXMgc2hvdWxkIG5vdCBiZSBhIGhpZ2g8L2ZvbnQ+DQo8YnI+PGZv bnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPiZuYnNwOyAmbmJzcDtiYXIgc2luY2UgYWxsIEVB UCB0dW5uZWwNCm1ldGhvZHMgY3VycmVudGx5IHN1cHBvcnQgdGhpcyBidXQgbm90IGFsbDwvZm9u dD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+Jm5ic3A7ICZuYnNwO2ltcGxl bWVudGF0aW9ucyBvZiB0aG9zZQ0KbWV0aG9kcyBtYXkgZG8gc28uJnF1b3Q7PC9mb250Pg0KPGJy Pjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlmIj49PT09Jmd0OyBJdCBzZWVtIG5vIGN1cnJl bnQgRUFQIHR1bm5lbA0Kc3VwcG9ydCB0bHMtdW5pcXVlIG5vdy48L2ZvbnQ+DQo8YnI+PGZvbnQg c2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPiZuYnNwOyBBbmQgQXNva2FuIE1pdE0gYXR0YWNrIGlz IGNvdW50ZXJlZA0KYnkgY3J5cHRvIGJpbmRpbmcsIHdoZXJlIHR1bm5lbCBtZXRob2QgaXMgYm91 bmQgd2l0aCBpbm5lciBtZXRob2QuPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5z LXNlcmlmIj4mbmJzcDsgV2hpbGUgVExTLXVuaXF1ZSBpcyBsaW1pdGVkIHRvDQp0aGUgdHVubmVs IG1ldGhvZCB0byBwcm92aWRlIGJpbmRpbmcgYmV0d2VlbiBUTFMgYW5kIGFwcGxpY2F0aW9uLCBJ IHdvbmRlcg0KPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlmIj4mbmJz cDsgaWYgdGhlcmUgaXMgc29tZSBjb25mdXNpb24gaW4NCnRoZSBkb2N1bWVudC4gPC9mb250Pg0K PGJyPjxmb250IHNpemU9MiBmYWNlPSJzYW5zLXNlcmlmIj4mbmJzcDsgJm5ic3A7IDwvZm9udD4N Cjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+UmVnYXJkc35+fjxicj4N Cjxicj4NCi1TdWppbmcgWmhvdTwvZm9udD4NCjxicj4NCjxicj4NCjxicj4NCjx0YWJsZSB3aWR0 aD0xMDAlPg0KPHRyIHZhbGlnbj10b3A+DQo8dGQgd2lkdGg9MzUlPjxmb250IHNpemU9MSBmYWNl PSJzYW5zLXNlcmlmIj48Yj5Kb2UgU2Fsb3dleSAmbHQ7anNhbG93ZXlAY2lzY28uY29tJmd0Ozwv Yj4NCjwvZm9udD4NCjxicj48Zm9udCBzaXplPTEgZmFjZT0ic2Fucy1zZXJpZiI+t6K8/sjLOiAm bmJzcDtlbXUtYm91bmNlc0BpZXRmLm9yZzwvZm9udD4NCjxwPjxmb250IHNpemU9MSBmYWNlPSJz YW5zLXNlcmlmIj4yMDEyLTA2LTA2IDAyOjA1PC9mb250Pg0KPHRkIHdpZHRoPTY0JT4NCjx0YWJs ZSB3aWR0aD0xMDAlPg0KPHRyIHZhbGlnbj10b3A+DQo8dGQ+DQo8ZGl2IGFsaWduPXJpZ2h0Pjxm b250IHNpemU9MSBmYWNlPSJzYW5zLXNlcmlmIj7K1bz+yMs8L2ZvbnQ+PC9kaXY+DQo8dGQ+PGZv bnQgc2l6ZT0xIGZhY2U9InNhbnMtc2VyaWYiPmVtdUBpZXRmLm9yZzwvZm9udD4NCjx0ciB2YWxp Z249dG9wPg0KPHRkPg0KPGRpdiBhbGlnbj1yaWdodD48Zm9udCBzaXplPTEgZmFjZT0ic2Fucy1z ZXJpZiI+s63LzTwvZm9udD48L2Rpdj4NCjx0ZD4NCjx0ciB2YWxpZ249dG9wPg0KPHRkPg0KPGRp diBhbGlnbj1yaWdodD48Zm9udCBzaXplPTEgZmFjZT0ic2Fucy1zZXJpZiI+1vfM4jwvZm9udD48 L2Rpdj4NCjx0ZD48Zm9udCBzaXplPTEgZmFjZT0ic2Fucy1zZXJpZiI+UmU6IFtFbXVdIFtOZWFd IEktRCBBY3Rpb246IGRyYWZ0LWlldGYtbmVhLXB0LWVhcC0wMi50eHQ8L2ZvbnQ+PC90YWJsZT4N Cjxicj4NCjx0YWJsZT4NCjx0ciB2YWxpZ249dG9wPg0KPHRkPg0KPHRkPjwvdGFibGU+DQo8YnI+ PC90YWJsZT4NCjxicj4NCjxicj4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPkp1bmUgNCBoYXMgY29t ZSBhbmQgZ29uZSBhbmQgd2UgaGF2ZW4ndCByZWNlaXZlZCBhbnkNCmNvbW1lbnRzLiAmbmJzcDtJ ZiB5b3UgaGF2ZSByZXZpZXdlZCB0aGUgZG9jdW1lbnQgYW5kIG5vdCBmb3VuZCBhbnkgaXNzdWVz DQpwbGVhc2UgaW5kaWNhdGUgdGhhdCBvbiB0aGUgbGlzdC4gJm5ic3A7SSdsbCBsZWF2ZSB0aGUg cmV2aWV3IG9wZW4gdW50aWwNCjYvMTIuICZuYnNwO0lmIHlvdSBjYW4gY29tbWl0IHRvIHJldmll dyB0aGUgZG9jdW1lbnQsIHBsZWFzZSBsZXQgbWUga25vdy4NCiZuYnNwOzxicj4NCjxicj4NClRo YW5rcyw8YnI+DQo8YnI+DQpKb2U8YnI+DQpPbiBNYXkgMjEsIDIwMTIsIGF0IDI6MDEgUE0sIEpv ZSBTYWxvd2V5IHdyb3RlOjxicj4NCjxicj4NCiZndDsgVGhlIE5FQSB3b3JraW5nIGdyb3VwIGhh cyBwcm9kdWNlZCBhIGRyYWZ0IGZvciBjYXJyeWluZyBORUEgcG9zdHVyZQ0KbWV0aG9kcyB3aXRo aW4gRUFQLiAmbmJzcDtJdCB3b3VsZCBiZSBoZWxwZnVsIGlmIHNvbWUgRU1VIHdvcmtpbmcgZ3Jv dXANCm1lbWJlcnMgcmV2aWV3ZWQgdGhlIGRyYWZ0LiAmbmJzcDsgUGxlYXNlIHNlbmQgeW91ciBj b21tZW50cyB0byB0aGUgRU1VDQpsaXN0IGJ5IEp1bmUgNCwgMjAxMi48YnI+DQomZ3Q7IDxicj4N CiZndDsgVGhhbmtzLDxicj4NCiZndDsgPGJyPg0KJmd0OyBKb2U8YnI+DQomZ3Q7IDxicj4NCiZn dDsgQmVnaW4gZm9yd2FyZGVkIG1lc3NhZ2U6PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jmd0OyBGcm9t OiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8YnI+DQomZ3Q7Jmd0OyBEYXRlOiBNYXkgMTUsIDIw MTIgODozNjoxNCBBTSBQRFQ8YnI+DQomZ3Q7Jmd0OyBUbzogaS1kLWFubm91bmNlQGlldGYub3Jn PGJyPg0KJmd0OyZndDsgQ2M6IG5lYUBpZXRmLm9yZzxicj4NCiZndDsmZ3Q7IFN1YmplY3Q6IFtO ZWFdIEktRCBBY3Rpb246IGRyYWZ0LWlldGYtbmVhLXB0LWVhcC0wMi50eHQ8YnI+DQomZ3Q7Jmd0 OyA8YnI+DQomZ3Q7Jmd0OyA8YnI+DQomZ3Q7Jmd0OyBBIE5ldyBJbnRlcm5ldC1EcmFmdCBpcyBh dmFpbGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHMNCmRpcmVjdG9yaWVzLiBU aGlzIGRyYWZ0IGlzIGEgd29yayBpdGVtIG9mIHRoZSBOZXR3b3JrIEVuZHBvaW50IEFzc2Vzc21l bnQNCldvcmtpbmcgR3JvdXAgb2YgdGhlIElFVEYuPGJyPg0KJmd0OyZndDsgPGJyPg0KJmd0OyZn dDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw Ow0KJm5ic3A7VGl0bGUgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyA6IFBULUVB UDogUG9zdHVyZQ0KVHJhbnNwb3J0IChQVCkgUHJvdG9jb2wgRm9yIEVBUCBUdW5uZWwgTWV0aG9k czxicj4NCiZndDsmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsNCiZuYnNwO0F1dGhvcihzKSAmbmJzcDsgJm5ic3A7ICZuYnNwOyA6IE5h bmN5IENhbS1XaW5nZXQ8YnI+DQomZ3Q7Jmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOw0KJm5ic3A7ICZuYnNwOyAmbmJzcDsg UGF1bCBTYW5nc3Rlcjxicj4NCiZndDsmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsNCiZuYnNwO0ZpbGVuYW1lICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOzogZHJhZnQtaWV0Zi1uZWEtcHQtZWFwLTAyLnR4dDxicj4NCiZndDsmZ3Q7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsN CiZuYnNwO1BhZ2VzICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgOiAyMDxicj4N CiZndDsmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsNCiZuYnNwO0RhdGUgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDs6IDIwMTItMDUtMTU8YnI+DQomZ3Q7Jmd0OyA8YnI+DQomZ3Q7Jmd0OyAmbmJzcDtUaGlz IGRvY3VtZW50IHNwZWNpZmllcyBQVC1FQVAsIGFuIEVBUCBiYXNlZCBQb3N0dXJlIFRyYW5zcG9y dA0KKFBUKTxicj4NCiZndDsmZ3Q7ICZuYnNwO3Byb3RvY29sIGRlc2lnbmVkIHRvIGJlIHVzZWQg b25seSBpbnNpZGUgYSBUTFMgcHJvdGVjdGVkDQp0dW5uZWw8YnI+DQomZ3Q7Jmd0OyAmbmJzcDtt ZXRob2QuICZuYnNwO1RoZSBkb2N1bWVudCBhbHNvIGRlc2NyaWJlcyB0aGUgaW50ZW5kZWQgYXBw bGljYWJpbGl0eQ0Kb2Y8YnI+DQomZ3Q7Jmd0OyAmbmJzcDtQVC1FQVAuPGJyPg0KJmd0OyZndDsg PGJyPg0KJmd0OyZndDsgPGJyPg0KJmd0OyZndDsgQSBVUkwgZm9yIHRoaXMgSW50ZXJuZXQtRHJh ZnQgaXM6PGJyPg0KJmd0OyZndDsgaHR0cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMv ZHJhZnQtaWV0Zi1uZWEtcHQtZWFwLTAyLnR4dDxicj4NCiZndDsmZ3Q7IDxicj4NCiZndDsmZ3Q7 IEludGVybmV0LURyYWZ0cyBhcmUgYWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDo8 YnI+DQomZ3Q7Jmd0OyBmdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLzxicj4NCiZn dDsmZ3Q7IDxicj4NCiZndDsmZ3Q7IFRoaXMgSW50ZXJuZXQtRHJhZnQgY2FuIGJlIHJldHJpZXZl ZCBhdDo8YnI+DQomZ3Q7Jmd0OyBmdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2Ry YWZ0LWlldGYtbmVhLXB0LWVhcC0wMi50eHQ8YnI+DQomZ3Q7Jmd0OyA8YnI+DQomZ3Q7Jmd0OyBU aGUgSUVURiBkYXRhdHJhY2tlciBwYWdlIGZvciB0aGlzIEludGVybmV0LURyYWZ0IGlzOjxicj4N CiZndDsmZ3Q7IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtbmVh LXB0LWVhcC88YnI+DQomZ3Q7Jmd0OyA8YnI+DQomZ3Q7Jmd0OyBfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCiZndDsmZ3Q7IE5lYSBtYWlsaW5nIGxp c3Q8YnI+DQomZ3Q7Jmd0OyBOZWFAaWV0Zi5vcmc8YnI+DQomZ3Q7Jmd0OyBodHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL25lYTxicj4NCiZndDsgPGJyPg0KJmd0OyBfX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCiZndDsgRW11IG1h aWxpbmcgbGlzdDxicj4NCiZndDsgRW11QGlldGYub3JnPGJyPg0KJmd0OyBodHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2VtdTxicj4NCjxicj4NCl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KRW11IG1haWxpbmcgbGlzdDxicj4N CkVtdUBpZXRmLm9yZzxicj4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v ZW11PGJyPg0KPGJyPg0KPC9mb250PjwvdHQ+DQo8YnI+DQo= --=_alternative 003318BF48257A15_=-- From hartmans@mit.edu Wed Jun 6 12:09:50 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D579C21F850B for ; Wed, 6 Jun 2012 12:09:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.448 X-Spam-Level: X-Spam-Status: No, score=-103.448 tagged_above=-999 required=5 tests=[AWL=-1.183, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wpumL6hhNopB for ; Wed, 6 Jun 2012 12:09:50 -0700 (PDT) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 9C3E421F852C for ; Wed, 6 Jun 2012 12:09:49 -0700 (PDT) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id CE4FE2043E; Wed, 6 Jun 2012 15:09:38 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 2BDB84151; Wed, 6 Jun 2012 15:09:47 -0400 (EDT) From: Sam Hartman To: zhou.sujing@zte.com.cn References: Date: Wed, 06 Jun 2012 15:09:47 -0400 In-Reply-To: (zhou sujing's message of "Wed, 6 Jun 2012 17:18:22 +0800") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: emu@ietf.org Subject: Re: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 19:09:51 -0000 I don't believe that existing crypto binding is adequate for NEA's needs as discussed in draft-hartman-emu-mutual-crypto-binding. Unfortunately, though, I'm not sure that tls-unique helps enough here. If the outer method actually does provide server authentication as deployed, then tls-unique is adequate. TLS-unique is preferable to crypto-binding because it allows you to determine whether you're talking about the right tunnel in the scope of the inner method--prior to doing the NEA assessment--rather than in the scope of the outer method. (Also, I'd assume this method does not generate a particularly useful key, so crypto binding is not that helpful) However, if you're depending on something other than the outer method for server authentication, then TLS-unique is not good enough. From jsalowey@cisco.com Wed Jun 6 16:59:27 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34C4521F8652 for ; Wed, 6 Jun 2012 16:59:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.599 X-Spam-Level: X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKt6EfzWuVSv for ; Wed, 6 Jun 2012 16:59:26 -0700 (PDT) Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com [173.36.130.12]) by ietfa.amsl.com (Postfix) with ESMTP id 2BFE821F8643 for ; Wed, 6 Jun 2012 16:59:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jsalowey@cisco.com; l=1601; q=dns/txt; s=iport; t=1339027165; x=1340236765; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=JiW1QbmVk09Q+oPenBuRrVQfTeE00EXLflsckewiukE=; b=iEG80+fyE2SNbYXaL2JpkEjP2LSSot/odR6iJHd8ZCW0EtKMIsCGR8X9 dZnewc0EBMCEU7tOCrrYAAql/evuTlkJofzsvR92NSrfF/P+UVjp5DzO/ Hle8u+JYCsPkX0Zsj72dwgWUT+3VPp5O2Oa2/4698qnYeSfld6G1MDK8J Y=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EALbtz0+rRDoG/2dsb2JhbABFDrQtgQeCGAEBAQMBEgEnPwULC0ZXBjWHZASZAJ9yixiFKWADiECMXY4UgWaCJ1k X-IronPort-AV: E=Sophos;i="4.75,726,1330905600"; d="scan'208";a="44853010" Received: from mtv-core-1.cisco.com ([171.68.58.6]) by mtv-iport-1.cisco.com with ESMTP; 06 Jun 2012 23:59:21 +0000 Received: from sjc-vpn6-334.cisco.com (sjc-vpn6-334.cisco.com [10.21.121.78]) by mtv-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id q56NxLaY006751; Wed, 6 Jun 2012 23:59:21 GMT Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=us-ascii From: Joe Salowey In-Reply-To: Date: Wed, 6 Jun 2012 16:59:20 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <0341AF35-E78D-42FC-B542-E0186F6632C6@cisco.com> References: To: Sam Hartman X-Mailer: Apple Mail (2.1278) Cc: emu@ietf.org Subject: Re: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 23:59:27 -0000 So, is your concern with using only MSK crypto binding with an inner = EAP authentication method used to authenticate an unauthenticated/poorly = authenticated tunnel or is it more specific to the nea-pt-eap method?=20 For the first concern it may be sufficient to discuss the issue in the = security considerations. If the concern is more about specifics of TLS-unique in nea-pt-eap not = being adequate then we need to better understand what the concern is. I = don't think the goal of the TLS-unique in nea-pt-eap is to provide = server authentication, rather its to prevent the nea data from being = used in a context different than it was generated.=20 Thanks, Joe On Jun 6, 2012, at 12:09 PM, Sam Hartman wrote: > I don't believe that existing crypto binding is adequate for NEA's = needs > as discussed in draft-hartman-emu-mutual-crypto-binding. >=20 > Unfortunately, though, I'm not sure that tls-unique helps enough = here. If > the outer method actually does provide server authentication as > deployed, then tls-unique is adequate. TLS-unique is preferable to > crypto-binding because it allows you to determine whether you're = talking > about the right tunnel in the scope of the inner method--prior to = doing > the NEA assessment--rather than in the scope of the outer method. = (Also, > I'd assume this method does not generate a particularly useful key, so > crypto binding is not that helpful) >=20 > However, if you're depending on something other than the outer method > for server authentication, then TLS-unique is not good enough. From zhou.sujing@zte.com.cn Wed Jun 6 18:28:13 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CA2221F85CF for ; Wed, 6 Jun 2012 18:28:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.052 X-Spam-Level: X-Spam-Status: No, score=-98.052 tagged_above=-999 required=5 tests=[AWL=2.033, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, RCVD_DOUBLE_IP_LOOSE=0.76, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wLhlca1rI64u for ; Wed, 6 Jun 2012 18:28:12 -0700 (PDT) Received: from mx5.zte.com.cn (mx6.zte.com.cn [95.130.199.165]) by ietfa.amsl.com (Postfix) with ESMTP id B774421F85AA for ; Wed, 6 Jun 2012 18:28:11 -0700 (PDT) Received: from [10.30.17.100] by mx5.zte.com.cn with surfront esmtp id 286201794749335; Thu, 7 Jun 2012 09:26:50 +0800 (CST) Received: from [10.30.3.21] by [192.168.168.16] with StormMail ESMTP id 71343.4177776322; Thu, 7 Jun 2012 09:27:55 +0800 (CST) Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id q571Rxv6065804; Thu, 7 Jun 2012 09:27:59 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn) In-Reply-To: <0341AF35-E78D-42FC-B542-E0186F6632C6@cisco.com> To: Joe Salowey MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007 Message-ID: From: zhou.sujing@zte.com.cn Date: Thu, 7 Jun 2012 09:27:48 +0800 X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2012-06-07 09:28:00, Serialize complete at 2012-06-07 09:28:00 Content-Type: multipart/alternative; boundary="=_alternative 0008188948257A16_=" X-MAIL: mse02.zte.com.cn q571Rxv6065804 Cc: Sam Hartman , emu@ietf.org Subject: Re: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jun 2012 01:28:13 -0000 This is a multipart message in MIME format. --=_alternative 0008188948257A16_= Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: base64 PiBPbiBKdW4gNiwgMjAxMiwgYXQgMTI6MDkgUE0sIFNhbSBIYXJ0bWFuIHdyb3RlOg0KPiANCj4g PiBJIGRvbid0IGJlbGlldmUgdGhhdCBleGlzdGluZyBjcnlwdG8gYmluZGluZyBpcyBhZGVxdWF0 ZSBmb3IgTkVBJ3MgDQpuZWVkcw0KPiA+IGFzIGRpc2N1c3NlZCBpbiBkcmFmdC1oYXJ0bWFuLWVt dS1tdXR1YWwtY3J5cHRvLWJpbmRpbmcuDQo+ID4gDQo+ID4gVW5mb3J0dW5hdGVseSwgdGhvdWdo LCBJJ20gbm90IHN1cmUgdGhhdCB0bHMtdW5pcXVlIGhlbHBzIGVub3VnaCBoZXJlLiANCklmDQo+ ID4gdGhlIG91dGVyIG1ldGhvZCBhY3R1YWxseSBkb2VzIHByb3ZpZGUgc2VydmVyIGF1dGhlbnRp Y2F0aW9uIGFzDQo+ID4gZGVwbG95ZWQsIHRoZW4gdGxzLXVuaXF1ZSBpcyBhZGVxdWF0ZS4gIFRM Uy11bmlxdWUgaXMgcHJlZmVyYWJsZSB0bw0KPiA+IGNyeXB0by1iaW5kaW5nIGJlY2F1c2UgaXQg YWxsb3dzIHlvdSB0byBkZXRlcm1pbmUgd2hldGhlciB5b3UncmUgDQp0YWxraW5nDQo+ID4gYWJv dXQgdGhlIHJpZ2h0IHR1bm5lbCBpbiB0aGUgc2NvcGUgb2YgdGhlIGlubmVyIG1ldGhvZC0tcHJp b3IgdG8gDQpkb2luZw0KPiA+IHRoZSBORUEgYXNzZXNzbWVudC0tcmF0aGVyIHRoYW4gaW4gdGhl IHNjb3BlIG9mIHRoZSBvdXRlciBtZXRob2QuIA0KKEFsc28sDQpCdXQgaXQgc2FpZCBuZWEtcHQt ZWFwIG1pZ2h0IGNvbWUgcmlnaHQgYWZ0ZXIgYW4gaW5uZXIgRUFQIG1ldGhvZCwgDQpzbyBjcnlw dG8gYmluZGluZyBtaWdodCBiZSBuZWVkZWQgdG8gYmluZCB0dW5uZWwgYW5kIGlubmVyIG1ldGhv ZHMuDQoNCnRscy11bmlxdWUgaW4gdGhlIGRyYWZ0IGlzIHVzZWQgaW4gaGlnaGVyIGxheWVyIChi eSBicm9rZXIpIHRvIGJpbmQgdGhlIA0KRUFQIHR1bm5lbCBjaGFubmVsIHdpdGgNCmFwcGxpY2F0 aW9uIGxheWVyLg0KDQo+ID4gSSdkIGFzc3VtZSB0aGlzIG1ldGhvZCBkb2VzIG5vdCBnZW5lcmF0 ZSBhIHBhcnRpY3VsYXJseSB1c2VmdWwga2V5LCBzbw0KPiA+IGNyeXB0byBiaW5kaW5nIGlzIG5v dCB0aGF0IGhlbHBmdWwpDQpBcyBmYXIgYXOhoUkga25vd6OsIHRoZSBuZWEtcHQtZWFwIG1ldGhv ZCBpcyBub3QgYW4gYXV0aGVudGljYXRpb24gbWV0aG9kLCANCml0IGlzIGp1c3QgdXNlZCB0byB0 cmFuc2ZlciBpbmZvcm1hdGlvbiwgc2ltaWxhciB0byBFQVAgSWRlbnRpdHkNCj4gPiANCj4gPiBI b3dldmVyLCBpZiB5b3UncmUgZGVwZW5kaW5nIG9uIHNvbWV0aGluZyBvdGhlciB0aGFuIHRoZSBv dXRlciBtZXRob2QNCj4gPiBmb3Igc2VydmVyIGF1dGhlbnRpY2F0aW9uLCB0aGVuIFRMUy11bmlx dWUgaXMgbm90IGdvb2QgZW5vdWdoLg0KVGhlIHNlY3VyZSB0cmFuc2ZlciBvZiBuZWEtcHQtZWFw IGRlcGVuZHMgZW50aXJlbHkgb24gRUFQIHR1bm5lbCBtZXRob2QsIA0Kc28NCnRoZSBFQVAgdHVu bmVsIG1ldGhvZCBpcyByZXF1aXJlZCB0byBwcm92aWRlIHN0cm9uZyBhdXRoZW50aWNhdGlvbiwg DQppbnRlZ3JpdHkgYW5kIGNvbmZpZGVudGlhbGl0eSBwcm90ZWN0aW9uLiANCg0KU3VqaW5nIFpo b3UNCg== --=_alternative 0008188948257A16_= Content-Type: text/html; charset="GB2312" Content-Transfer-Encoding: base64 DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7IE9uIEp1biA2LCAyMDEyLCBhdCAxMjowOSBQTSwg U2FtIEhhcnRtYW4gd3JvdGU6PGJyPg0KJmd0OyA8YnI+DQomZ3Q7ICZndDsgSSBkb24ndCBiZWxp ZXZlIHRoYXQgZXhpc3RpbmcgY3J5cHRvIGJpbmRpbmcgaXMgYWRlcXVhdGUgZm9yDQpORUEncyBu ZWVkczxicj4NCiZndDsgJmd0OyBhcyBkaXNjdXNzZWQgaW4gZHJhZnQtaGFydG1hbi1lbXUtbXV0 dWFsLWNyeXB0by1iaW5kaW5nLjxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgVW5mb3J0 dW5hdGVseSwgdGhvdWdoLCBJJ20gbm90IHN1cmUgdGhhdCB0bHMtdW5pcXVlIGhlbHBzIGVub3Vn aA0KJm5ic3A7aGVyZS4gSWY8YnI+DQomZ3Q7ICZndDsgdGhlIG91dGVyIG1ldGhvZCBhY3R1YWxs eSBkb2VzIHByb3ZpZGUgc2VydmVyIGF1dGhlbnRpY2F0aW9uDQphczxicj4NCiZndDsgJmd0OyBk ZXBsb3llZCwgdGhlbiB0bHMtdW5pcXVlIGlzIGFkZXF1YXRlLiAmbmJzcDtUTFMtdW5pcXVlIGlz IHByZWZlcmFibGUNCnRvPGJyPg0KJmd0OyAmZ3Q7IGNyeXB0by1iaW5kaW5nIGJlY2F1c2UgaXQg YWxsb3dzIHlvdSB0byBkZXRlcm1pbmUgd2hldGhlciB5b3UncmUNCnRhbGtpbmc8YnI+DQomZ3Q7 ICZndDsgYWJvdXQgdGhlIHJpZ2h0IHR1bm5lbCBpbiB0aGUgc2NvcGUgb2YgdGhlIGlubmVyIG1l dGhvZC0tcHJpb3INCnRvIGRvaW5nPGJyPg0KJmd0OyAmZ3Q7IHRoZSBORUEgYXNzZXNzbWVudC0t cmF0aGVyIHRoYW4gaW4gdGhlIHNjb3BlIG9mIHRoZSBvdXRlciBtZXRob2QuDQooQWxzbyw8L2Zv bnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPkJ1dCBpdCBzYWlkIDwvZm9udD48L3R0Pjxm b250IHNpemU9Mj5uZWEtcHQtZWFwPC9mb250Pjx0dD48Zm9udCBzaXplPTI+DQptaWdodCBjb21l IHJpZ2h0IGFmdGVyIGFuIGlubmVyIEVBUCBtZXRob2QsIDwvZm9udD48L3R0Pg0KPGJyPjx0dD48 Zm9udCBzaXplPTI+c28gY3J5cHRvIGJpbmRpbmcgbWlnaHQgYmUgbmVlZGVkIHRvIGJpbmQgdHVu bmVsIGFuZA0KaW5uZXIgbWV0aG9kcy48L2ZvbnQ+PC90dD4NCjxicj4NCjxicj48dHQ+PGZvbnQg c2l6ZT0yPnRscy11bmlxdWUgaW4gdGhlIGRyYWZ0IGlzIHVzZWQgaW4gaGlnaGVyIGxheWVyIChi eQ0KYnJva2VyKSB0byBiaW5kIHRoZSBFQVAgdHVubmVsIGNoYW5uZWwgd2l0aDwvZm9udD48L3R0 Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+YXBwbGljYXRpb24gbGF5ZXIuPC9mb250PjwvdHQ+DQo8 YnI+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7ICZndDsgSSdkIGFzc3VtZSB0aGlzIG1ldGhv ZCBkb2VzIG5vdCBnZW5lcmF0ZQ0KYSBwYXJ0aWN1bGFybHkgdXNlZnVsIGtleSwgc288YnI+DQom Z3Q7ICZndDsgY3J5cHRvIGJpbmRpbmcgaXMgbm90IHRoYXQgaGVscGZ1bCk8L2ZvbnQ+PC90dD4N Cjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+QXMgZmFyIGFzoaFJIGtub3ejrCB0 aGUgPC9mb250Pjx0dD48Zm9udCBzaXplPTI+bmVhLXB0LWVhcA0KbWV0aG9kIGlzIG5vdCBhbiBh dXRoZW50aWNhdGlvbiBtZXRob2QsIGl0IGlzIGp1c3QgdXNlZCB0byB0cmFuc2ZlciBpbmZvcm1h dGlvbiwNCnNpbWlsYXIgdG8gRUFQIElkZW50aXR5PGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsg Jmd0OyBIb3dldmVyLCBpZiB5b3UncmUgZGVwZW5kaW5nIG9uIHNvbWV0aGluZyBvdGhlciB0aGFu IHRoZSBvdXRlcg0KbWV0aG9kPGJyPg0KJmd0OyAmZ3Q7IGZvciBzZXJ2ZXIgYXV0aGVudGljYXRp b24sIHRoZW4gVExTLXVuaXF1ZSBpcyBub3QgZ29vZCBlbm91Z2guPGJyPg0KVGhlIHNlY3VyZSB0 cmFuc2ZlciBvZiBuZWEtcHQtZWFwIGRlcGVuZHMgZW50aXJlbHkgb24gRUFQIHR1bm5lbCBtZXRo b2QsDQpzbzwvZm9udD48L3R0Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+dGhlIEVBUCB0dW5uZWwg bWV0aG9kIGlzIHJlcXVpcmVkIHRvIHByb3ZpZGUgc3Ryb25nDQphdXRoZW50aWNhdGlvbiwgaW50 ZWdyaXR5IGFuZCBjb25maWRlbnRpYWxpdHkgcHJvdGVjdGlvbi4gPC9mb250PjwvdHQ+DQo8YnI+ DQo8YnI+PHR0Pjxmb250IHNpemU9Mj5TdWppbmcgWmhvdTwvZm9udD48L3R0Pg0K --=_alternative 0008188948257A16_=-- From hartmans@mit.edu Thu Jun 7 06:03:05 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A9321F8809 for ; Thu, 7 Jun 2012 06:03:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.394 X-Spam-Level: X-Spam-Status: No, score=-103.394 tagged_above=-999 required=5 tests=[AWL=-1.129, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id akLUMBtahm-N for ; Thu, 7 Jun 2012 06:03:04 -0700 (PDT) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 9448B21F8832 for ; Thu, 7 Jun 2012 06:03:04 -0700 (PDT) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 9CA8F2023F; Thu, 7 Jun 2012 09:02:48 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 46AF64151; Thu, 7 Jun 2012 09:02:57 -0400 (EDT) From: Sam Hartman To: Joe Salowey References: <0341AF35-E78D-42FC-B542-E0186F6632C6@cisco.com> Date: Thu, 07 Jun 2012 09:02:57 -0400 In-Reply-To: <0341AF35-E78D-42FC-B542-E0186F6632C6@cisco.com> (Joe Salowey's message of "Wed, 6 Jun 2012 16:59:20 -0700") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Sam Hartman , emu@ietf.org Subject: Re: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jun 2012 13:03:05 -0000 >>>>> "Joe" == Joe Salowey writes: Joe> So, is your concern with using only MSK crypto binding with an inner EAP authentication method used to authenticate an unauthenticated/poorly authenticated tunnel or is it more specific to the nea-pt-eap method? Joe> For the first concern it may be sufficient to discuss the issue in the security considerations. Sounds good to me and that is my concern. I see no reason EAP-PT needs more text than what we did for the cb draft. From internet-drafts@ietf.org Thu Jun 21 08:48:53 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E931C21F8722; Thu, 21 Jun 2012 08:48:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.395 X-Spam-Level: X-Spam-Status: No, score=-102.395 tagged_above=-999 required=5 tests=[AWL=0.204, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUL4c5+Z5p8J; Thu, 21 Jun 2012 08:48:53 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A26E21F86DE; Thu, 21 Jun 2012 08:48:53 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.20 Message-ID: <20120621154853.9222.54044.idtracker@ietfa.amsl.com> Date: Thu, 21 Jun 2012 08:48:53 -0700 Cc: emu@ietf.org Subject: [Emu] I-D Action: draft-ietf-emu-eap-tunnel-method-03.txt X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jun 2012 15:48:54 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the EAP Method Update Working Group of the IE= TF. Title : Tunnel EAP Method (TEAP) Version 1 Author(s) : Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna Filename : draft-ietf-emu-eap-tunnel-method-03.txt Pages : 99 Date : 2012-06-21 Abstract: This document defines the Tunnel Extensible Authentication Protocol (TEAP) version 1. TEAP is a tunnel based EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) to establish a mutually authenticated tunnel. Within the tunnel, Type-Length-Value (TLV) objects are used to convey authentication related data between the EAP peer and the EAP server. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tunnel-method There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-03 A diff from previous version is available at: http://tools.ietf.org/rfcdiff?url2=3Ddraft-ietf-emu-eap-tunnel-method-03 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From hartmans@mit.edu Thu Jun 28 11:06:19 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A36321F861C for ; Thu, 28 Jun 2012 11:06:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.632 X-Spam-Level: X-Spam-Status: No, score=-103.632 tagged_above=-999 required=5 tests=[AWL=-1.967, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_65=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMGdUrXr+ngR for ; Thu, 28 Jun 2012 11:06:19 -0700 (PDT) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 0439621F8617 for ; Thu, 28 Jun 2012 11:06:18 -0700 (PDT) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 0C2FC2010F; Thu, 28 Jun 2012 14:05:42 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 9DB4741EF; Thu, 28 Jun 2012 14:06:00 -0400 (EDT) From: Sam Hartman To: zhou.sujing@zte.com.cn References: Date: Thu, 28 Jun 2012 14:06:00 -0400 In-Reply-To: (zhou sujing's message of "Tue, 17 Apr 2012 17:51:54 +0800") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: hartmans-ietf@mit.edu, emu@ietf.org Subject: Re: [Emu] on draft-hartman-emu-mutual-crypto-bind-00 X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2012 18:06:19 -0000 >>>>> "zhou" == zhou sujing writes: zhou> To my understanding, right prior to finishing tunnel establishement, EAP peer zhou> and EAP Server(print server in the server insertion attack case) should have zhou> exchanged channel binding with integrity protection by key only known to EAP zhou> peer and EAP server (MSK in this case), well, I actually think this happens after tunnel establishment and after the inner method. So, after the print server learns the MSK. As I read draft-ietf-emu-chbind nothing forbids this. Certainly the existing implementations of channel binding I'm aware of work that way. From hartmans@mit.edu Thu Jun 28 11:26:03 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33F3A21F85D9 for ; Thu, 28 Jun 2012 11:26:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.791 X-Spam-Level: X-Spam-Status: No, score=-103.791 tagged_above=-999 required=5 tests=[AWL=-1.526, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rS9IkIcLZmWi for ; Thu, 28 Jun 2012 11:26:02 -0700 (PDT) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id B4C8221F858F for ; Thu, 28 Jun 2012 11:26:02 -0700 (PDT) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 00F7A202D8; Thu, 28 Jun 2012 14:25:25 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4DF7441EF; Thu, 28 Jun 2012 14:25:44 -0400 (EDT) From: Sam Hartman To: Hao Zhou References: Date: Thu, 28 Jun 2012 14:25:44 -0400 In-Reply-To: (Hao Zhou's message of "Wed, 07 Mar 2012 13:13:51 -0500") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: draft-hartman-emu-mutual-crypto-bind@tools.ietf.org, Sam Hartman , emu@ietf.org Subject: Re: [Emu] New draft on mutual crypto binding problem X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2012 18:26:03 -0000 >>>>> "Hao" == Hao Zhou writes: Hao> Sam: Hao> This is a well thought and well written draft, it covers a lot of background Hao> and aspect of the attacks and mitigations. However, I have few comments: Thanks! You listed a set of drawbacks to EMSK-based crypto binding. Hao> A. Mutual crypto-binding required the use of EMSK, not all existing EAP Hao> method generate and export EMSK. It will also break intermediate AAA Hao> servers. More importantly, it would only work for an EAP method that Hao> generates keys. Part of the goal of Tunnel Method is to protect weak Hao> authentication or EAP method, this would not benefits them. These drawbacks to EMSK-based cryptographic binding are documented; thanks. Hao> D. Enforcing server policy would be another good way to go, if server can Hao> demand tunnel method only, eliminate the chance of inner method MSK being Hao> sent to the attacker. As discussed in the draft, you actually need a number of conditions beyond just that. However I agree server policy is another important mitigation, which is why the draft recommends it. Hao> 2. I am not sure "Mutual Crypto-binding" is a good term, as the existing Hao> crypto-binding is already mutually authenticating the peer and the server. Hao> Maybe more accurate to be called "Crypto-binding based on EMSK" or "Extended Hao> Crypto-binding" etc. I think of mutual cryptographic binding as crypto binding that provides defense against these sort of attacks (and personally don't consider existing cryptographic binding to really qualify as "mutual".) I think though that describing this new mechanism as EMSK-based cryptographic binding is good. We may have other mechanisms that meet the security goals of mutual cryptographic binding and it is always desirable to separate mechanism from abstraction. I've tried to start that transition in the next version of the draft. Thanks very much for pointing this out. Doubtless we'll have another round of improving terminology. Again, thanks so much for your comments. From ietf@augustcellars.com Thu Jun 28 17:01:53 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE15221F85E6 for ; Thu, 28 Jun 2012 17:01:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.053 X-Spam-Level: X-Spam-Status: No, score=-3.053 tagged_above=-999 required=5 tests=[AWL=-0.054, BAYES_00=-2.599, J_CHICKENPOX_65=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYW0F2qdx1vX for ; Thu, 28 Jun 2012 17:01:53 -0700 (PDT) Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id 4751A21F85E4 for ; Thu, 28 Jun 2012 17:01:53 -0700 (PDT) Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 6AC6C38F2B; Thu, 28 Jun 2012 17:01:52 -0700 (PDT) From: "Jim Schaad" To: "'Sam Hartman'" , References: In-Reply-To: Date: Thu, 28 Jun 2012 17:00:32 -0700 Message-ID: <020301cd558a$346451d0$9d2cf570$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQIZlCmw5EqQI7j/Ty5VOkAgOabaxQI6+vG2lmYT9XA= Content-Language: en-us Cc: emu@ietf.org Subject: Re: [Emu] on draft-hartman-emu-mutual-crypto-bind-00 X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2012 00:01:54 -0000 > -----Original Message----- > From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf Of > Sam Hartman > Sent: Thursday, June 28, 2012 11:06 AM > To: zhou.sujing@zte.com.cn > Cc: hartmans-ietf@mit.edu; emu@ietf.org > Subject: Re: [Emu] on draft-hartman-emu-mutual-crypto-bind-00 > > >>>>> "zhou" == zhou sujing writes: > > zhou> To my understanding, right prior to finishing tunnel establishement, > EAP peer > zhou> and EAP Server(print server in the server insertion attack case) > should have > zhou> exchanged channel binding with integrity protection by key only > known to EAP > zhou> peer and EAP server (MSK in this case), > > well, I actually think this happens after tunnel establishment and after the > inner method. > So, after the print server learns the MSK. > As I read draft-ietf-emu-chbind nothing forbids this. Certainly the existing > implementations of channel binding I'm aware of work that way. I think that as I understand it, it would occur before the MSK has been computed. An "intermediate" value has been computed but a new channel binding method could be defined that adds to the MSK and other EAP methods could be run after the channel binding has been done. Jim > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu From hartmans@mit.edu Thu Jun 28 18:19:25 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 654FC11E810B for ; Thu, 28 Jun 2012 18:19:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.736 X-Spam-Level: X-Spam-Status: No, score=-103.736 tagged_above=-999 required=5 tests=[AWL=-1.471, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpfEewQL8iLO for ; Thu, 28 Jun 2012 18:19:24 -0700 (PDT) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id ABB2D11E80A2 for ; Thu, 28 Jun 2012 18:19:24 -0700 (PDT) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 5C1662010F; Thu, 28 Jun 2012 21:18:41 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 180C441EF; Thu, 28 Jun 2012 21:18:58 -0400 (EDT) From: Sam Hartman To: "Jim Schaad" References: <020301cd558a$346451d0$9d2cf570$@augustcellars.com> Date: Thu, 28 Jun 2012 21:18:57 -0400 In-Reply-To: <020301cd558a$346451d0$9d2cf570$@augustcellars.com> (Jim Schaad's message of "Thu, 28 Jun 2012 17:00:32 -0700") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: 'Sam Hartman' , emu@ietf.org Subject: Re: [Emu] on draft-hartman-emu-mutual-crypto-bind-00 X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2012 01:19:25 -0000 >>>>> "Jim" == Jim Schaad writes: Before the outer MSK has been computed, yes. Before the inner MSK (the one you need to attack crypto binding) has been computed no. Also, note that the RADIUS server only knows about the inner method, so it will transport the inner MSK as soon as it believes the inner method succeeds. From internet-drafts@ietf.org Fri Jun 29 05:01:29 2012 Return-Path: X-Original-To: emu@ietfa.amsl.com Delivered-To: emu@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A28121F86F8; Fri, 29 Jun 2012 05:01:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DCmKM08I9MG; Fri, 29 Jun 2012 05:01:27 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6348821F869C; Fri, 29 Jun 2012 05:00:54 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.21p1 Message-ID: <20120629120054.1719.80211.idtracker@ietfa.amsl.com> Date: Fri, 29 Jun 2012 05:00:54 -0700 Cc: emu@ietf.org Subject: [Emu] I-D Action: draft-ietf-emu-crypto-bind-00.txt X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "EAP Methods Update \(EMU\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2012 12:01:29 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the EAP Method Update Working Group of the IE= TF. Title : EAP Mutual Cryptographic Binding Author(s) : Sam Hartman Margaret Wasserman Dacheng Zhang Filename : draft-ietf-emu-crypto-bind-00.txt Pages : 24 Date : 2012-06-28 Abstract: As the Extensible Authentication Protocol (EAP) evolves, EAP peers rely increasingly on information received from the EAP server. EAP extensions such as channel binding or network posture information are often carried in tunnel methods; peers are likely to rely on this information. [RFC 3748] is a facility that protects tunnel methods against man-in-the-middle attacks. However, cryptographic binding focuses on protecting the server rather than the peer. This memo explores attacks possible when the peer is not protected from man-in- the-middle attacks and recommends mutual cryptographic binding, a new form of cryptographic binding that protects both peer and server along with other mitigations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-emu-crypto-bind There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-emu-crypto-bind-00 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/