eap Mailing List: Re: Strawman -10

[Yoshihiro Ohba (yohba]

On Tue, Feb 07, 2006 at 02:49:13PM -0800, Bernard Aboba wrote:
> >In draft-ohba-eap-channel-binding-00.txt, the use of the "Channel
> >Binding" key does not need to be negotiated by the lower layer.
> >Instead, the negotiation is required by EAP method.
> 
> How does the EAP method know whether the link layer is doing "Channel 
> Binding" EAP key deriviation or not?  EAP methods are typically link layer 
> agnostic, so the keys are computed the same way regardless of media.  Or 
> are we saying that the method needs to be able to take the Channel Bindings 
> into account in computation of the MSK?  If so, how does it know what 
> Channel Bindings are to be used to compute keys with which link layers?  
> The Channel Bindings may not be the same for every link layer.
> 
> 

- The EAP peer can directly obtain "Channel Binding" parameter from
lower layer if the lower layer supports "Channel Binding".

- The EAP server is expected to obtain "Channel Binding" parameter
from NAS or authentication server where it resides depending on
whether the mode is standalone or pass-through, respectively.  It is
assumed that the authentication server is pre-configured with "Channel
Binding" parameter for each EAP authenticator whose lower layer
supports "Channel Binding".  To address potential scalability issue
with this, several variants such hiearchical "Channel Binding" as well
as transferring master "Channel Binding" key are defined in the draft.

- The "Channel Binding" key is computed the same way regardless of
media, provided that "Channel Binding" parameter is treated as an
opaque blob.

Yoshihiro Ohba