Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

On Fri, Apr 06, 2007 at 02:41:09PM -0400, Charles Clancy wrote:
> Sam,
> 
> In skimming through Nico's draft, it looks like EAP's crypto bindings look
> something like GSS channel bindings.

Note: my I-D does not describe GSS channel binding -- it describes
channel binding.  The reference to GSS channel binding is there as an
informative, historical note.

> EAP's channel bindings, on the other hand, don't really look like GSS
> channel bindings.  In order for EAP's channel binding to look like GSS
> channel binding, EAP channel binding would have to cryptographically bind
> an L2 security association to EAP keys -- but that's not what it's doing. 
> It's binding L2 identities to EAP keys.  In fact, there's no reason it has
               ^^^^^^^^^^^^^

When the identities of the two end-points of a channel are: a)
cryptographically bound into that channel b) such that other channels
between different pairs of end-points could not have the same end-point
identities, THEN we can call that pair of channel end-points identities
"end-point channel bindings" -- as my I-D explains.

> to be an L2 identity.  It can be any identity that's meaningful to the
> parties involved, and can serve as the basis for making authorization
> decisions.

As long as it's cryptographically bound to the L2 channel and that
channel provides suitable protection for the EAP method doing the EAP
channel binding, THEN Sam's observation is correct: "EAP channel
binding" uses what I termed "end-point channel binding" and "EAP
cryptographic binding" uses what I termed "unique channel binding."

> Perhaps you could abstract the definition of channel bindings even further
> such that all three are subsets of some common terminology... but that
> sounds painful.

No, I think we did just that, but I had not noticed that, in fact, the
two kinds of EAP binding map to the two kinds of channel binding
described in my draft.  Thanks Sam!

Nico
-- 

_______________________________________________
Emu mailing list
Emu at ietf.org
https://www1.ietf.org/mailman/listinfo/emu

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.