eap Mailing List: Re: Re: Issue 352: Channel Binding Issue

[Jari Arkko (jari.arkko]

Yoshihiro Ohba wrote:

>On Tue, May 02, 2006 at 04:23:22PM -0700, Salowey, Joe wrote:
>  
>
>>Hmmm... 
>>
>>Peer gets MSK from EAP and mixes it with Y to get MSKY 
>>Authenticator gets mixed MSKY in exisitng AAA attribute, since this is
>>an exisitng attribute it thinks it is just the MSK and mixes it with Y
>>to get MSKYY.  MSKY and MSKYY don't match.
>>    
>>
>
>There is some misunderstanding.  If the authenticator is supposed to
>further mix Y to get MSKYY from MSKY, then the peer is also supposed
>to further mix Y to get MSKYY from MSKY.
>  
>
Yes, but the question is how do the peer and the AAA server
know that they are doing this? This is a change from the
current procedures, so presumably to make this all work there
needs to be negotiation somewhere that its turned on.

Wearing my AD hat:

Anyway, as I said in another e-mail, I really don't want
the EAP keying framework to pick a channel binding solution.
If it helps, we could drop all discussion of implementation
approaches for channel bindings, and just focus on the
desired behaviour.

--Jari