eap Mailing List: Re: Proposed Resolution to Issue 367: Key Scope andServerAuthorization

[Jari Arkko (jari.arkko]

Bernard Aboba wrote:

>How about the following:
>
>Add the following paragraphs to the end of Section 2.3 Server 
>Identification:
>
>"EAP methods that support mutual authentication enable the EAP peer to only 
>connect to authenticators authenticated by a trusted EAP server.  However, 
>mutual authentication may not result in verification of the EAP server 
>identity.  For example, the EAP peer may only verify that the EAP server 
>possesses a long-term secret; in this case the EAP peer will only know that 
>an authenticator has been authorized by an EAP server, but will not know 
>which one.
>
>EAP methods that export the Server-Id MUST verify the server identity. This 
>enables the EAP peer to decide whether a specific EAP server is authorized 
>or not, and determine whether the EAP server is sharing keying material 
>outside the intended scope.  In some cases, such as where the certificate 
>extensions defined in [RFC4334] are included in the server certificate, it 
>may even be possible for the peer to verify some Channel Binding parameters 
>from the server certificate.  Where the EAP peer does not verify the EAP 
>server identity, it is not possible for the peer to determine whether keying 
>material has been shared outside its authorized scope."
>  
>
I am basically fine with this text, but it may be exaggarate the value of
an identifier a little bit. If you assume that the correct server set has
given long-term secret material to some other servers, its not clear that
having the server provide an identifier helps in all cases. For instance,
the server may lie about its identifier.

Suggested edit: s/This enables the EAP peer to decide/This may help
the EAP peer to decide/

--Jari