| RE: Key derivation and the principle of equivalence | <– Date –> <– Thread –> |
From: Salowey, Joe (jsalowey cisco.com)
|
|
| Date: Fri, 13 May 2005 01:05:28 -0400 (EDT) | |
> -----Original Message----- > From: Jari Arkko [mailto:jari.arkko [at] piuha.net] > Sent: Thursday, May 12, 2005 12:09 AM > To: Bernard Aboba > Cc: eap [at] frascone.com > Subject: Re: [eap] Key derivation and the principle of equivalence > > I think this looks like a useful simplification of the > document. There may be some smaller things to think about, > however. For instance, > > > Within EAP, the primary function of the AAA protocol is > to maintain > > the principle of Mode Independence, so that as far as the > EAP peer is > > concerned, its conversation with the EAP authenticator, and all > > consequences of that conversation, are identical, > regardless of the > > authenticator mode of operation. > > > This seems true. Interestingly, it even seems true if one > imagines a fast handoff scenario where you start off from a > combined NAS-AAA device and handoff to another NAS. > > But its also interesting to note what the text above does not > say. I believe peers already can learn the identities of both > the authenticator and the server, separately, and if channel > bindings are provided peers can also learn of potential > discrepancies among the properties claimed by the different > parties. Of course, such discrepancies can be learned even if > all of this is in the same box. > [Joe] Yes, It seems that the peer (or the entity hosting the peer) can know the identity of the of the party it is communicating with and possibly determine that it is an EAP-Server vs. an Authenticator. However the basic method operation and communication should be the same. It seems a method shouldn't change its behavior if it is running on a EAP server vs. an authenticator. I think it is possible that context data exported from the method may be interpreted differently by processes external to EAP. > Secondly, the text does not say anything about fast handoffs > (and this may well be right). But in fast handoffs peer would > again be aware of changing identities of the authenticator > (even though in this case you'd not really be running EAP > again). And keys for this would be created slightly > differently. But again, the peer has no real knowledge of > whether he handed off to a new box or just a different part > of the same box. > [Joe] I think it would really be good to avoid fast handoff discussion in this part of the document. > --Jari > > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap >
- Re: Key derivation and the principle of equivalence, (continued)
- Re: Key derivation and the principle of equivalence Jari Arkko, May 12 2005
-
RE: Key derivation and the principle of equivalence Bernard Aboba, May 12 2005
- Re: Key derivation and the principle of equivalence Jari Arkko, May 13 2005
- Re: Key derivation and the principle of equivalence Yoshihiro Ohba, May 16 2005
- RE: Key derivation and the principle of equivalence Salowey, Joe, May 12 2005
-
RE: Key derivation and the principle of equivalence Bernard Aboba, May 12 2005
- Re: Key derivation and the principle of equivalence Jari Arkko, May 13 2005
- RE: Key derivation and the principle of equivalence Salowey, Joe, May 13 2005
- RE: Key derivation and the principle of equivalence Salowey, Joe, May 13 2005
Results generated by Tiger Technologies using MHonArc.