Re: Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

To: Nicolas Williams <Nicolas.Williams at sun.com>
Subject: Re: Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
From: Sam Hartman <hartmans-ietf at mit.edu>
Date: Fri, 06 Apr 2007 16:13:46 -0400
Cc: bernarda at microsoft.com, ietf at ietf.org, emu at ietf.org
In-reply-to: <20070406190619.GM28748@Sun.COM> (Nicolas Williams's message of "Fri, 6 Apr 2007 14:06:20 -0500")
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <tslbqi1ieke.fsf@cz.mit.edu> <20070406190619.GM28748@Sun.COM>
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:

    Nicolas> Also, I think my draft's definition of "end-point channel
    Nicolas> bidning" needs to be tightened just a bit: not only must
    Nicolas> the end-point IDs be cryptographically bound into the
    Nicolas> channel, it must also be the case that the IDs
    Nicolas> meaningfully identify the channel end-points -- that is,
    Nicolas> that one nodes cannot assert the same ID as another
    Nicolas> without sharing credentials with it.  I think my text
    Nicolas> implies this but does not make it sufficiently explicit.

Be careful.  A DN given a trust anchor seems like a find end-point
identifier.  However two nodes can share the same DN without sharing
the same credential.  Under 3280 rules either the CA issued a
certificate it should not have issued or the two nodes are the same
subject.  That's strong enough for the channel binding to be useful
even though the nodes may not share a credential.


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf





protocol as the
    Charles> EAP<->L2 binding.

The L2 secure association protocol cannot be an eap->anything binding:
it does not typically use EAP level identifiers.

    Charles> -- t. charles clancy, ph.d.  <> tcc at umd.edu <>
    Charles> www.cs.umd.edu/~clancy





_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

References:
- Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Sam Hartman
- Re: Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Nicolas Williams

Prev by Date: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Next by Date: RE: Withdrawal of Approval and Second Last Call: draft-housley-tls-authz-extns
Previous by thread: Re: Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Next by thread: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.