| Re: [eap-keying] issue EAP and authorization | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Mon, 7 Nov 2005 00:10:23 -0500 (EST) | |
Avi Lior wrote:
Ok.
Ok.
--Jari
In draft-ietf-eap-keying-08.txt page 6:
"The EAP server also
stores the peer's identity and/or other information necessary to
decide whether access to some service should be granted. The peer
stores information necessary to choose which secret to use for which
service."
The issue i have is that the above seems to indicate that the EAP-Server is somehow involved in authorization.
This is *hopefully" not true, and contradicts section 4.1 of the same draft.
It should not be true. Note that there may be scenarios where data from EAP needs to be used in an authorization decision, such as when method carries channel binding data. But this is opaque data while in EAP, and needs to be exported out, where the AAA server then makes the authorization decision.
Suggest re-write:
"The EAP server also
stores the peer's identity and the peer
stores information necessary to choose which secret to use for which
service."
Ok.
Note also that in the following paragraph the sentence is repeated again:
"If authentication is based on proof of possession of the private key
corresponding to the public key contained within a certificate, the
parties store the EAP method to be used and the trust anchors used to
validate the certificates. The EAP server also stores the peer's
identity and/or other information necessary to decide whether access
to some service should be granted. The peer stores information
necessary to choose which certificate to use for which service."
Suggested re-write:
"If authentication is based on proof of possession of the private key
corresponding to the public key contained within a certificate, the
parties store the EAP method to be used and the trust anchors used to
validate the certificates. The EAP server also stores the peer's
identity and the peer stores information
necessary to choose which certificate to use for which service."
Ok.
--Jari
-
[eap-keying] issue EAP and authorization Avi Lior, November 3 2005
- Re: [eap-keying] issue EAP and authorization Jari Arkko, November 6 2005
Results generated by Tiger Technologies using MHonArc.