1. Glen Zorn Cisco Systems gwz@cisco.com
Specifying Security Claims for EAP Authentication Types (draft-zorn-eap-eval-00.txt)
Glen Zorn
Cisco Systems

2. How to Evaluate the Security of EAP Authentication Types?
Define terms
Specify security claims
Evaluate claims against
Type definition
User security Requirement

3. Defining Terms Clear Unambiguous Available RFC 2828
“Terminology” section of I-D

4. Specifying Security Claims
In “Security Considerations” section?
Claims must be specified in defined terms
Independent
Stand-alone
Proofs encouraged
Should be in appendix

5. Evaluating Security Claims
Two evaluative modes
Evaluate against type description
Useful in IETF
Evaluate against security requirements
Useful in evaluating for deployment

6. Problems Terms largely un/underdefined
RFC 2828 doesn’t define “mutual authentication”
Define a set of EAP-specific terms?
Security "qualities" difficult to demonstrate, prove

7. Recommendations Work on this technique further
Incorporate into RFC 2284bis?
Design team to define terms?