Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

To: Sam Hartman <hartmans-ietf at mit.edu>
Subject: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
From: Charles Clancy <clancy at cs.umd.edu>
Date: Fri, 13 Apr 2007 19:52:17 -0400
Cc: bernarda at microsoft.com, ietf at ietf.org, Nicolas Williams <Nicolas.Williams at sun.com>, emu at ietf.org
In-reply-to: <tslabxbc1uo.fsf@mit.edu>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <tslbqi1ieke.fsf@cz.mit.edu> <461DCBB1.1010401@qualcomm.com> <20070412151020.GZ28748@Sun.COM> <461F1573.2080604@qualcomm.com> <tslabxbc1uo.fsf@mit.edu>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

Sam Hartman wrote:
> The more I
> read what you, Bernard and Charles say, the more I'm convinced that I
> agree with your description of EAP and that my text is correct.  The
> more I talk, the more you're convinced that my text is wrong.
> We're talking past each other somehow.

I think your text was correct, but incomplete. I think the SAP needs to be included, as it does channel bindings under Nico's broader definition. The SAP does an EAP lower-layer to EAP layer binding -- it just doesn't provide the authorization you're looking for, hence why we need EAP channel bindings to prevent the lying NAS problem.

Sam's suggested text:

  The first, called channel
  binding, is used to bind the lower-layer channel created between the
  peer and the authenticator to the authentication performed using EAP.
  Specific detials of this facility have not been specified, but it is
  likely that this channel would use endpoint channel bindings carried
  in the EAP method exchange.

My suggestion for Sam's suggested text:

  The first, called channel
  binding, is used to bind the lower-layer channel created between the
  peer and the authenticator to the authentication performed using EAP.
  The Secure Association Protocol (SAP) defined by the EAP lower layer
  often binds lower-layer identities and sometimes even AAA identities
  into the key derivation, serving to bind EAP keys to the EAP lower
  layer.  However, as this binding is done by the lower layer, and not
  EAP, there is no explicit authorization by the EAP server for the
  lower layer to use the EAP keys.  Consequently, EAP channel bindings
  are defined in RFC 3748 to perform the binding at the EAP layer.
  Specific details of this facility have not been specified, but it is
  likely that this channel would use endpoint channel bindings carried
  in the EAP method exchange.


--
t. charles clancy, ph.d.  |  tcc at umd.edu  |  www.cs.umd.edu/~clancy


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Nicolas Williams
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Nicolas Williams

References:
- Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Sam Hartman
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Lakshminath Dondeti
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Nicolas Williams
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Lakshminath Dondeti
- Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
  - From: Sam Hartman

Prev by Date: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Next by Date: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Previous by thread: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Next by thread: Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.