Joe Salowey said:
“[Joe] I don't think a general discussion of authorization belongs in the
channel bindings document. Channel bindings is much smaller scope than
the general authorization problem. Is there something about channel
bindings that is unclear in the document? ”
I would agree that a general discussion of authorization
does not belong in the Channel
Bindings document, and that Channel Bindings has much
smaller scope. However, the
Channel Bindings document currently does discuss the generic
authorization
problem – suggesting that Channel Bindings is a
solution to that problem in addition
to the “Lying NAS” problem. This
represents a basic misunderstanding of the nature of Channel
Bindings that has lead to some of the confusion on the list.
The problem begins in Section 1.
Rather than summarizing the nature of Channel Bindings
within the Introduction, the
document launches into a discussion of the “lying NAS”
problem, and then, within the
same section, discusses “another current limitation of
EAP” which is “minimal ability to
perform authorization.”
The document defines EAP channel bindings as the solution to
both of these problems.
This is clearly wrong – EAP Channel Bindings as
defined in RFC 3748 and 5247
is not a generic authorization mechanism, and the Channel
Binding document should
not assert that it is. In doing so, the
Channel Bindings document is inconsistent with
the RFC 3748 and RFC 5247 definitions of Channel Bindings.
