eap Mailing List: draft on authenticated service identities

[Jari Arkko (jari.arkko]

Pasi and I have written a draft on the authentication
of service identities (= service parameters claimed
by access servers) in EAP. Essentially, the draft
is an extension of EAP-TLS, EAP-SIM, EAP-AKA, and PEAPv2
for transporting and authenticating parameters related
to the offered service. This makes it possible to ensure,
for instance, that everyone agrees about the claimed SSID
or that a compromised access point can not present itself
as an IKEv2 gateway.

Here's the abstract:

   A common arrangement in network access is the separation of the
   actual network access device (such as a wireless LAN access point)
   from the authentication servers. In the Extensible Authentication
   Protocol (EAP) framework, different authentication methods can
   provide varying security properties. If the EAP methods support
   authentication of service identities, it becomes possible for the
   clients to verify not only that the access device is trusted, but
   also that the parameters advertised by the access device are correct.
   This document specifies a backward compatible extension to popular
   EAP methods for supporting such service identity authentication. A
   common parameter name space is created in order to ensure that the
   same parameters can be communicated independent of the choice of the
   authentication method.

The draft has been submitted, but before it appears
in the official directories, you can access it from
the following URLs:

  
http://www.arkko.com/publications/eap/draft-arkko-eap-service-identity-auth-00.txt
  
http://www.arkko.com/publications/eap/draft-arkko-eap-service-identity-auth-00.html

Comments are appreciated.

--Jari