| Re: Re: Issue 352: Channel Binding Issue | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Tue, 2 May 2006 16:19:27 -0700 (PDT) | |
On Tue, May 02, 2006 at 03:18:20PM -0700, Salowey, Joe wrote: > > > > As noted in [RFC3748] Section 7.15, this vulnerability can be > > addressed by EAP methods that support a protected exchange of channel > > properties such as endpoint identifiers, including (but not limited > > to): Called-Station-Id [RFC2865][RFC3580], Calling-Station-Id > > [RFC2865][RFC3580], NAS-Identifier [RFC2865], NAS-IP-Address > > [RFC2865], and NAS-IPv6-Address [RFC3162]. > > " > > > > I'd mention that Channel Binding description in RFC3748 is somewhat > > obsolete according to the recent discussion on the AAA server's > > requirement on pre-configurating Channel Binding parameters. Do we > > need this paragraph? Or instead we may have some explicit text here > > to obsolete Channel Binding description in RFC3748. > > > [Joe] I don't see how this text is obsolete. Channel binding is not > just an EAP-keying concept. I'd say the Channel Binding problem description in RFC3748 is valid, but the solution described in RFC 3748 would be a bit obsolete. > > > > > " > > Using such a protected exchange, it is possible to match the channel > > properties provided by the authenticator via out-of-band mechanisms > > against those exchanged within the EAP method. For example, see the > > discussion in Section 1.4 as well as [I-D.arkko-eap-service-identity- > > auth]. > > " > > > > According to the the AAA server's requirement on pre-configurating > > Channel Binding parameters, I don't see the usefulness of > > [I-D.arkko-eap-service-identity-auth]. Do we really need this > > paragraph? > > > [Joe] It still seems useful to me. Can you elaborate on how it is useful? Regards, Yoshihiro Ohba > > > > > > " > > The main difference between these approaches is that Channel Binding > > support within an EAP method may require upgrading or changing the > > EAP method, impacting both the peer and the server. Where Channel > > Bindings are implemented in AAA, the peer, authenticator and the > > backend server need to be upgraded, but the EAP method need not be > > modified. > > " > > > > If we have only one Channel Binding method, we don't need this > > comparison. > > [Joe] I don't think this is the place to define one method. > > > > Best regards, > > Yoshihiro Ohba > > _________________________________________________________________ > > To unsubscribe or modify your subscription options, please visit: > > http://lists.frascone.com/mailman/listinfo/eap > > > > Arhives: http://lists.frascone.com/pipermail/eap > > > >
- Re: Re: Issue 352: Channel Binding Issue, (continued)
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
-
RE: Re: Issue 352: Channel Binding Issue Salowey, Joe, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
RE: Re: Issue 352: Channel Binding Issue Salowey, Joe, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
- RE: Re: Issue 352: Channel Binding Issue Salowey, Joe, May 2 2006
Results generated by Tiger Technologies using MHonArc.