eap Mailing List: Re: Proposed Resolution to Issue 352: Channel Binding Issue

[Yoshihiro Ohba (yohba]

On Tue, Jun 06, 2006 at 04:01:54PM -0400, Yoshihiro Ohba wrote:
> I have one comment.
> 
> On Sun, Jun 04, 2006 at 06:31:15PM -0700, Bernard Aboba wrote:
> > 
> >    It is also possible to achieve Channel Bindings without transporting
> >    data over EAP.  For example, see [I-D.draft-ohba-eap-channel-binding].
> >    In this approach the EAP method includes Channel Bindings in the
> >    calculation of exported EAP keying material, making it impossible for
> >    the peer and authenticator to complete the Secure Association Protocol
> >    if there is a mismatch in the Channel Bindings.  However, this approach
> >    can only be applied where EAP methods generating key material are used
> >    along with lower layers that utilize the keying material.  For example,
> >    this mechanism would not enable verification of Channel Bindings on
> >    wired IEEE 802 networks which do not support data frame protection."
> > 
> 
> The last sentence is correct when 802.1X is used as EAP transport over
> wired IEEE 802 networks, but not correct when PANA is used where it is
> still possible to enable verification of Channel Bindings with this
> scheme by protected PANA-Bind exchange as I mentioned to Joe.
> 
> I would suggest revising the last two sentences something like:
> 
> "
>   However, this approach can only be applied where EAP methods
>   generating key material are used
>   along with lower layers that utilize the keying material for data frame 
> frame 
>   protection.  For example, this mechanism would not enable verification of 
> Channel
>   Bindings on wired IEEE 802 networks using IEEE 802.1X.
> "

Sorry for self-responding, but the penultimate sentence does not need
to be changed.  My suggestion is for the last sentence only.

Yoshihiro Ohba