| Re: Re: Issue 352: Channel Binding Issue | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Tue, 2 May 2006 14:57:26 -0700 (PDT) | |
On Tue, May 02, 2006 at 12:26:42PM -0700, Bernard Aboba wrote: > >Thank you for reading the document. And the answer is, if the > >generated "mixed" MSKs are carried in the existing AAA attributes > >instead of carrying the MSKs, then no AAA attributes or communication > >flow is required for EAP keying. > > It might be worth saying a few words about this in the paragraph. I agree on adding a few words on this in the paragraph. > Overall, > I'm not sure whether the Channel Binding text in the document is all that > consistent/comprehesive. I agree with your opinion here as well. Let me quote some questionable part in Section 5.11 of eap-keying-13 below: " As noted in [RFC3748] Section 7.15, this vulnerability can be addressed by EAP methods that support a protected exchange of channel properties such as endpoint identifiers, including (but not limited to): Called-Station-Id [RFC2865][RFC3580], Calling-Station-Id [RFC2865][RFC3580], NAS-Identifier [RFC2865], NAS-IP-Address [RFC2865], and NAS-IPv6-Address [RFC3162]. " I'd mention that Channel Binding description in RFC3748 is somewhat obsolete according to the recent discussion on the AAA server's requirement on pre-configurating Channel Binding parameters. Do we need this paragraph? Or instead we may have some explicit text here to obsolete Channel Binding description in RFC3748. " Using such a protected exchange, it is possible to match the channel properties provided by the authenticator via out-of-band mechanisms against those exchanged within the EAP method. For example, see the discussion in Section 1.4 as well as [I-D.arkko-eap-service-identity- auth]. " According to the the AAA server's requirement on pre-configurating Channel Binding parameters, I don't see the usefulness of [I-D.arkko-eap-service-identity-auth]. Do we really need this paragraph? " The main difference between these approaches is that Channel Binding support within an EAP method may require upgrading or changing the EAP method, impacting both the peer and the server. Where Channel Bindings are implemented in AAA, the peer, authenticator and the backend server need to be upgraded, but the EAP method need not be modified. " If we have only one Channel Binding method, we don't need this comparison. Best regards, Yoshihiro Ohba
-
Re: Issue 352: Channel Binding Issue Bernard Aboba, May 1 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
RE: Re: Issue 352: Channel Binding Issue Salowey, Joe, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
RE: Re: Issue 352: Channel Binding Issue Salowey, Joe, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
Results generated by Tiger Technologies using MHonArc.