eap Mailing List: RE: Basic facts about EAP

[Salowey, Joe (jsalowey]

> -----Original Message-----
> From: Bernard Aboba [mailto:aboba [at] internaut.com] 
> Sent: Monday, May 02, 2005 10:46 PM
> To: Nicolas Williams
> Cc: Salowey, Joe; Zorn, Glen; Pasi.Eronen [at] nokia.com; eap [at] 
> frascone.com
> Subject: Re: [eap] Basic facts about EAP
> 
> > these schemes expect the EAP-Peer to have knowledge of both the 
> > EAP-Authenticator and EAP-Server.
> 
> I don't think this is necessarily true.  For example, if the 
> sever lower layer passes up opaque blobs to be transported 
> via the method from the server to the peer, and then pushed 
> back down to the peer lower layer for verification, then the 
> method need have no knowledge of the media or of the authenticator.

[Joe] True, my explanation was bad.  I was trying to say the Peer needs
to determine the identity it authenticated as the EAP-Server is
associated with an entity that is trusted to provide or validate that
opaque information, additional knowledge about the entity hosting the
EAP authenticator is required in EAP.     

> 
> > Your description of EAP channel bindings, to me, goes hand in hand 
> > with thinking of the EAP authenticator in passthrough 
> methods as part 
> > of the network infrastructure.
> 
> In "pass-through" the EAP authenticator is no more a part of 
> the EAP conversation than a router is part of a TCP 
> conversation between two endpoints.
> 
> > A variant which allowed for proxying of AS and TGS 
> exchanges by a GSS 
> > acceptor would be very similar to the world of EAP.
> 
> Such a method was specified, but never implemented (EAP-GSS).
>