eap Mailing List: Re: issue 325 - channel bindings

[Yoshihiro Ohba (yohba]

It may be too late to make comment on this, but if we agree on only
the server has the knowledge of the Channel Binding values, I really
don't see any value on carrying Channel Bindings over EAP methods
compared to the other method of using the Channel Bindings for key
derivation.  Please correct if my view is wrong.

Yoshihiro Ohba


On Mon, Mar 06, 2006 at 04:01:51AM -0800, Bernard Aboba wrote:
> How about this?
> 
> "Channel Bindings include lower layer parameters that
> are verified for consistency between the EAP peer and server.
> In order to avoid introducing media dependencies, EAP
> methods that transport Channel Binding data MUST treat this
> data as opaque octets.
> 
> Typically the EAP method imports Channel Bindings from the
> lower layer on the peer, and transmits them securely to the
> EAP server, which exports them to the lower layer or AAA layer.  However,
> transport may occur from EAP server to peer, or may be
> bi-directional.  On the side of the exchange (peer or server)
> where Channel Bindings are verified, the lower layer or AAA layer passes
> the result of the verification (TRUE or FALSE) up to the
> EAP method.
> 
> While the verification can be done either by the peer
> or the server, typically only the server has the knowledge to
> determine the correctness of the values, as opposed to merely
> verifying their equality."
> 
> 
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/eap
> 
> Arhives: http://lists.frascone.com/pipermail/eap
>