Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

To: "Nicolas Williams" <Nicolas.Williams at sun.com>
Subject: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
From: "Charles Clancy" <clancy at cs.umd.edu>
Date: Fri, 6 Apr 2007 15:13:04 -0400 (EDT)
Cc: bernarda at microsoft.com, Sam Hartman <hartmans-ietf at mit.edu>, ietf at ietf.org, emu at ietf.org
Importance: Normal
In-reply-to: <20070406184854.GL28748@Sun.COM>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <tslbqi1ieke.fsf@cz.mit.edu> <43960.63.239.69.1.1175884869.squirrel@webmail.cs.umd.edu> <20070406184854.GL28748@Sun.COM>
User-agent: SquirrelMail/1.4.5

>> to be an L2 identity.  It can be any identity that's meaningful to the
>> parties involved, and can serve as the basis for making authorization
>> decisions.
>
> As long as it's cryptographically bound to the L2 channel and that
> channel provides suitable protection for the EAP method doing the EAP
> channel binding, THEN Sam's observation is correct: "EAP channel
> binding" uses what I termed "end-point channel binding" and "EAP
> cryptographic binding" uses what I termed "unique channel binding."

I don't think I'm convinced that EAP channel bindings are doing this
binding to the L2 channel.  The identity used in an EAP channel binding
must be bound to the AAA security association between the authenticator
and the peer  in order for everything to work, so it would be more likely
a NAS-ID than a MAC address.

That's not to say there isn't an L2 binding happening -- but I think it's
being performed by the L2 secure association phase that uses the EAP key
to derive L2 keys.  Then during that handshake, a MAC address may be
involved, binding in an L2 identity.

I guess I see EAP channel bindings as an EAP<->AAA binding, and the L2
secure association protocol as the EAP<->L2 binding.

-- 
t. charles clancy, ph.d.  <>  tcc at umd.edu  <>  www.cs.umd.edu/~clancy


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Sam Hartman

References:
- Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Sam Hartman
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Charles Clancy
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Nicolas Williams

Prev by Date: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Next by Date: RE: Withdrawal of Approval and Second Last Call: draft-housley-tls-authz-extns
Previous by thread: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Next by thread: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.