Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

[Lakshminath Dondeti <ldondeti at qualcomm.com>]

Hi Nico,

Please see inline:

Nicolas Williams wrote:
> On Wed, Apr 11, 2007 at 11:03:29PM -0700, Lakshminath Dondeti wrote:
> > After having reviewed "draft-williams-on-channel-binding-01," I feel 
> > that putting EAP in scope of that document would require a rather 
> > involved revision of the document.  As Charles noted it might require 
> > further abstraction of the concept of channel binding as defined in 
> > draft-williams.
> >
> > Now, I must say, I do see the similarities between the two notions of 
> > channel binding.  But the EAP/AAA model is unique and it is not easy to 
> > map it to the other, let's say simpler, security models.  The notion of 
> > compound binding or crypto binding also has some similarities to the 
> > notion of channel binding in draft-williams-on-channel-binding-01, but 
> > there are also some differences.
> >
> > Overall though, since expanding draft-williams-on-channel-binding-01's 
> > scope to EAP means that the requirements, recommendations and 
> > suggestions of Section 2.1 may be applied to EAP channel binding, it 
> > would be a rather painful exercise to sort it all out.  For now, I am 
> > comfortable with the guidance in Section 7.15 of 3748.
>
> My impression was that Sam's suggested text was introductory and
> informative, and not at all intended to cause this doc to normatively
> constrain EAP.

The draft is standards track and there is a lot of 2119 language in there.

> I think that having a single abstraction that can describe what went by
> multiple names in different areas can be very useful because it
> facilitates cross-area communication.  And missing an opportunity to
> point out how two things are more similar than they look would help
> perpetuate a perception that those two things are more different than
> they actually are.

I can see your point of view.  The other thing to worry about is that 
the more we try to cover under a single abstraction, the more watered 
down it might become to satisfy all viewpoints of applicability to all 
of the domains.  In fact, I find the requirements and recommendations in 
the draft troublesome.

As I thought about it, perhaps here is something that might make sense:

Define channel binding so that we can cover all uses of that term. 
Define properties and specify how one can achieve those properties.  Not 
sure this next one needs to be done in the current draft, define which 
properties apply to which protocol.  Alternatively, different protocol 
drafts may specify which of the properties are required or recommended 
in each case.

Does that make sense?

I know I am suggesting this, but until something like that is written, I 
am not sure we can get there (haven't put enough thought into whether a 
common consensus abstraction is possible here or not).  As I noted in my 
review of your draft, EAP model is different from some of the other 
security models in the IETF.

best regards,
Lakshminath

> Nico

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf