[LinkSec] Comments on Authentication Types
Bob,
Some comments:
Section: Authentication flows; Subsection: Client/Server versus Peer-to-Peer
What about the case where each Peer is both Client and Server, each to the
other? In the case of two 802.1X Client/Servers facing each other, what role
reversal and/or race condition(s) must be solved? In other words, why can't
there be two flows, so that flow reversal is a non-issue?
Section: What is Mutual Authentication?
I found the four authentication types:
Explicit, Secured Identity Authentication
Implicit, Secured Identity Authentication
Explicit, Unsecured Identity Authentication
Implicit, Unsecured Identity Authentication
rather unenlightening, likely because of my weak background in security.
I cannot determine, from the preceding paragraphs, what is "explicit" and
what "implicit". The bullets above this paragraph may be intended to
make this clear, but the connection between the bullets and the terms,
"explicit" and "implicit" were not clear enough for me to follow. I'm
not sure that the following paragraph, describing secured identities,
helped me much, either.
Missing?
In this writeup, should there be some discussion of the requirement to tie
the authentication to the MAC addresses used by the parties? This might
include a discussion about binding the identities exchanged in the
authentication process to a MAC, what that means, what the limitations
of that concept are for securing user data, etc. Or, is that a subject
for a later document?
-- Norm