| RE: Issue 213: Cleanup issues | <– Date –> <– Thread –> |
From: Joseph Salowey (jsalowey cisco.com)
|
|
| Date: Tue, 20 Jan 2004 23:52:41 -0500 (EST) | |
Bernard Aboba wrote: <snip> > > " Protected result indications > A method provides result indications if after the method > has finished (1) if the peer is willing to use the access > provided by the authenticator, it knows whether the > authenticator will grant access (that is, only either an > EAP-Success or EAP-Failure will be accepted, no > more method > specific messages are expected), and (2) if the > authenticator decides to grant access, it knows > whether the > peer will accept it. Result indications improve > resilience to packet loss; see Section 4.2 for > discussion. Depending on the method and circumstances, > result > indications can be > spoofable by an attacker. A method is said to provide > protected result indications if it supports result > indications as well as the "integrity protection" and > "replay protection" claims. A method claiming to support > protected result indications MUST indicate which result > indications are protected, and which are not. > See Section > 7.16 for details." > To: > > Protected result indications > A method provides result indications if after the > method has finished: > > 1) When peer is willing to accept access to the network, it > knows whether the authenticator will grant access. > > 2) When the peer decides to grant access, it knows > whether the peer will accept it. > [Joe] Here again we have a mix of authentication and authorization. It would be better to qualify the above statement. "Protected result indications A method provides result indications if after the method has finished: 1) When peer successfully completes the authentication, it knows whether the authenticator has successfully completed the authentication. 2) When the authenticator successfully completes the authentication, it knows whether the peer has successfully completed the authentication. In the case where successful authentication is sufficient to authorize access then the peer and authenticator will also know if the other party is willing to provide or accept access. This may not always be the case." > Result indications improve resilience to packet loss, > and prevent long timeouts; see Section 4.2 for discussion. > Depending on the method design and circumstances, result > indications may be vulnerable to spoofing or replay by an attacker. > > A method is said to provide protected result indications if > it supports result indications as well as the > "integrity protection" and "replay protection" claims. > A method claiming to support protected result indications > MUST indicate which result indications are protected, and > which are not. See Section 7.16 for details." > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap
-
Issue 213: Cleanup issues Bernard Aboba, January 20 2004
- RE: Issue 213: Cleanup issues Joseph Salowey, January 20 2004
-
RE: Issue 213: Cleanup issues Bernard Aboba, January 22 2004
- RE: Issue 213: Cleanup issues Joseph Salowey, January 25 2004
-
RE: Issue 213: Cleanup issues Bernard Aboba, February 1 2004
- RE: Issue 213: Cleanup issues Joseph Salowey, February 1 2004
Results generated by Tiger Technologies using MHonArc.