| Re: Issue: Comments on draft-ietf-eap-keying-08b.txt section 1 | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Tue, 13 Dec 2005 06:09:48 -0800 (PST) | |
Salowey, Joe wrote:
--Jari
"The EAP server also stores the peer's identity and/or other information necessary to decide whether access to some service should be granted. "
This sentence (appearing twice) makes it sound like the EAP server is going to decide whether to access to a server should be granted. It would be better to say something like
"The EAP server also stores the peer's identity and/or other information
associated with the identity. This information may be provided with the
authenticated identity to the entity that determines whether access to
the service that required EAP authentication should be granted."
Very good. This also solves the storage issues that we discussed in IETF-64.
--Yes.
Since IV is being deprecated I think we should reference it a little as
possible, suggestion is to remove refernces to IV in this section. It
should be removed in figure 1.
Ok.-- "EAP methods also MAY export method-specific peer and server identifiers (peer-ID and server-ID), a method-specific EAP conversation identifier known as the Method-ID, and the lifetime of the exported keys, known the Key-Lifetime. EAP methods MAY also support the import and export of Channel Bindings. New EAP method specifications MUST define the Peer-ID, Server-ID and Method-ID. The combination of the Peer-ID and Server-ID uniquely specifies the endpoints of the EAP method exchange."
It seems that additional data associated with the identity should be
exported to satisfy section 1.3. Suggestion is to add this and call
them identity attributes.
In this paragraph the it states that the "Peer-ID and Server-ID uniquelyOk.
specifies the
endpoints of the EAP method exchange", however further down it states
that these quantities may be null. This is contradictory. Suggested
modificaiton to above text:
"The combination of the Peer-ID and Server-ID may uniquely specify the
endpoints of the EAP method exchange if the method supports unique IDs."
--Not sure -- I don't have a requirement for that. Others?
There are two styles of channel bindings that may be supported by EAP
methods. The text in this section describes exportable channel bindings.
There is also the approach where the bindings are non exportable. In
this case the method does a binary comparision of the channelbindings or
hash of the channel bindings and fails if the result does not match. I
can see the possibility of a method supporting both styles. Should we
include both?
--Jari
-
Issue: Comments on draft-ietf-eap-keying-08b.txt section 1 Salowey, Joe, December 1 2005
- Re: Issue: Comments on draft-ietf-eap-keying-08b.txt section 1 Jari Arkko, December 13 2005
- Re: Issue: Comments on draft-ietf-eap-keying-08b.txt section 1 Yoshihiro Ohba, January 12 2006
Results generated by Tiger Technologies using MHonArc.