| RE: RE: channel binding | <– Date –> <– Thread –> |
From: Salowey, Joe (jsalowey cisco.com)
|
|
| Date: Mon, 8 Aug 2005 14:08:12 -0400 (EDT) | |
> > > >[Joe] We are discussing the capabilities of an EAP-method. > Although an > >EAP-method can generate keys there is nothing forcing those > keys to be > >used for anything. Binding data to the authentication exchange and > >binding data to the key derivation are similar but different > approaches. > > Although I agree that binding data to the authentication > exchange and binding data to the key derivation are different > approaches, I don't agree with using keys generated by an EAP > method for arbitrary purpose, especially AAA-Key. I think > there is a key-scoping issue if we do not specify the usage > of the keys generated by an EAP method. At least AAA-Key > should be restricted to be used by a specific pair of EAP > peer and authenticator. Also, this is also related to EAP > applicability statement which currently allows the use of EAP > for network access authentication, not for authentication for > arbitrary application. > [Joe] I'm not sure what you are talking about as this has nothing to do with what I mentioned above. I suggest that we do not try to confuse the issue. > Besides this I have two issues on the use of EAP-method based > chanel binding scheme. > One issue is as described in section 2 of > draft-ohba-eap-aaakey-binding. > The other issue > is complexity being added to each EAP method by having direct > communication between each EAP method and lower layer, which > is not described in the EAP state machine I-D. The latter > issue issue keeps me away from implementing EAP-method based > chanel binding scheme in Open Diameter EAP libraries. > [Joe] Neither mechanism is ideal, as the both require changes to the system. I am not arguing against binding information in the key derivation. I am saying that performing this function in the mechanism is different that performing it in the key derivation and that I believe it is advantageous to have this functionality in the mechanism. > Regards, > Yoshihiro Ohba > > > >I do not think that one should eliminate binding of data in the > >authentication in favor of binding data in the key > derivation as they > >solve different problems. I am not familiar with the > EAP-IKEv2 use of > >"channel bindings", but I would rather see the capability > fixed if it > >has a problem than removed. > >_______________________________________________ > >eap mailing list > >eap [at] frascone.com > >http://mail.frascone.com/mailman/listinfo/eap >
- RE: channel binding, (continued)
- RE: channel binding Salowey, Joe, August 5 2005
- channel binding Yoshihiro Ohba, August 8 2005
-
RE: channel binding Salowey, Joe, August 8 2005
- RE: RE: channel binding Yoshihiro Ohba, August 8 2005
- RE: RE: channel binding Salowey, Joe, August 8 2005
-
RE: RE: channel binding Yoshihiro Ohba, August 8 2005
- Re: RE: channel binding Nicolas Williams, August 8 2005
- Re: RE: channel binding Yoshihiro Ohba, August 9 2005
- Re: RE: channel binding Nicolas Williams, August 10 2005
Results generated by Tiger Technologies using MHonArc.