 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Steve Hanna said: “However, I agree that it would be better to get IESG clarification that
carrying authorization data in EAP is permissible. As Alan suggested,
the first step is probably to have a WG consensus check
to verify that we have rough consensus that this should be
permitted. After that, maybe we would ask the IESG for a clarification
of the applicability statement for EAP. I
will note that the IESG has already approved a change to the EMU
charter to add a work item for channel bindings. So they have
already indicated their support for that effort.” Do we really need “IESG clarification” or a “consensus
check” to verify that IESG approval of a work item for channel bindings should be interpreted as approval to actually work on channel
bindings??? Given that Channel Bindings is discussed in both RFC 3748
and 5247, I think we can say definitively that regardless of whether
Channel Bindings are actually useful (personally, I have doubts) that they
are within the the scope of applicability of RFC 3748. However, since those documents make it clear that Channel
Bindings were not intended as a generic authorization exchange (despite
the confusion on that point within the Channel Bindings document).
Therefore IESG approval of a Channel Bindings work item should not be construed as a
license to change the definition of Channel Bindings to satisfy another
distinct need. Doing so would require updating of RFC 3748 and 5247, which is not
within the EMU WG charter. |