eap Mailing List: Re: Proposed Resolution to Issue 352: Channel Binding Issue

[Yoshihiro Ohba (yohba]

On Tue, Jun 06, 2006 at 01:36:45PM -0700, Bernard Aboba wrote:
> >Sorry for self-responding, but the penultimate sentence does not need
> >to be changed.  My suggestion is for the last sentence only.
> 
> Here is the new paragraph:
> 
> "It is also possible to achieve Channel Bindings without transporting
> data over EAP.  For example, see [I-D.draft-ohba-eap-channel-binding].
> In this approach the EAP method includes Channel Bindings in the
> calculation of exported EAP keying material, making it impossible for
> the peer and authenticator to complete the Secure Association Protocol
> if there is a mismatch in the Channel Bindings.
> However, this approach can only be applied where EAP methods
> generating key material are used
> along with lower layers that utilize the keying material for data frame 
> frame
> protection.  For example, this mechanism would not enable verification of
> Channel Bindings on wired IEEE 802 networks using IEEE 802.1X."
> 
> Is this what you intended?
> 

Not exactly.  In the PANA usage for wired IEEE 802 networks the keying
material is not for data frame protection, but just for protecting
PANA messaging.

So here is my intended text:

"
It is also possible to achieve Channel Bindings without transporting
data over EAP.  For example, see [I-D.draft-ohba-eap-channel-binding].
In this approach the EAP method includes Channel Bindings in the
calculation of exported EAP keying material, making it impossible for
the peer and authenticator to complete the Secure Association Protocol
if there is a mismatch in the Channel Bindings.  However, this
approach can only be applied where EAP methods generating key material
are used along with lower layers that utilize the keying material.
For example, this mechanism would not enable verification of Channel
Bindings on wired IEEE 802 networks using IEEE 802.1X.
"

Yoshihiro Ohba