eap Mailing List: Re: Re: issue 357: Channel Binding Definition

[Lakshminath Dondeti (ldondeti]

At 07:02 AM 5/9/2006, Yoshihiro Ohba wrote:
> On Tue, May 09, 2006 at 01:46:56PM +0300, Jari Arkko wrote:
> > And you Laksminath wrote:
> >
> > > This is confusing to me.  I was under the assumption that the peer and
> > > the server should agree that they have the same view of the
> > > authenticator (perhaps with the provision that the server may have a
> > > superset of the information than the peer has).  What does the
> > > authenticator need to agree on?  Does it matter?
> >
> > Good questions. I'd be happy to restrict the definition
> > to peer and server agreeing that they have the same
> > view of the channel properties claimed by the authenticator.
>
> If the definition is only for agreement between the peer and server,
> then it means we are allowing Channel Binding without running a SAP.
> I think involvement of the authenticator's agreement via SAP is
> needed.  I mean the authenticator needs to agree that, the
> authenticator, not someone else, has sent the information to the peer.

Hmmm, let's see. The peer and the server agree, let's say through the 
EAP method, that they are talking to the same authenticator and the 
server sends the MSK (or for that matter, as Joe seems to imply, port 
open indication) to *that* authenticator.  So, I don't see why the 
authenticator needs any more verification.

Now without the SAP there are other problems, but they don't seem 
relevant to CB.  Perhaps I am missing something (you seem like you've 
explored this area quite a bit, please explain.  Thanks).

regards,
Lakshminath


> Yoshihiro Ohba