eap Mailing List: Re: channel binding

[Yoshihiro Ohba (yohba]

On Wed, Aug 31, 2005 at 08:18:27PM -0700, Salowey, Joe wrote:
> 
> > But I like the idea of carrying a MAC of blob instead of a 
> > blob itself, as we can avoid RADIUS attribute fragmentation 
> > that needs to be considered if a blob itself is carried.
> > 
> [Joe] If you were going to carry just a blob then you would probably
> carry a hash instead of a MAC, the MAC above is keyed with key material
> within the EAP method.  I'm not sure that carry a hash of parameters in
> RADIUS  is sufficient or necessary.  It is probably not sufficient
> because you may need to validate the contents of the bindings asserted
> by the authenticator in the AAA hosting the EAP server to avoid the
> problem you discuss above. It may not be necessary since you need to
> have information associated with the authenticator on the AAA that is
> hosting the EAP server to validate the asserted binding by the
> authenticator.   If the information is not variable then you don't have
> to transmit it.  If it is then you probably have to transmit it so it
> can be verified. 

The draft-ohba-eap-aaakey-binding-01 draft assumes that a blob carries
static information only.  Thus it is possible for the AAA server to
have the information to validate the blob itself or a hash of the
blob.  If this is the case, carry a hash of parameters in RADIUS is
sufficient.

Yoshihiro Ohba


> 
>