| Re: Issue 398: Discuss | <– Date –> <– Thread –> |
From: Glen Zorn (gwz) (gwz cisco.com)
|
|
| Date: Thu, 8 Mar 2007 20:35:26 -0800 (PST) | |
Bernard Aboba <mailto:bernard_aboba [at] hotmail.com> allegedly scribbled on Thursday, March 08, 2007 4:05 PM: ... > In section 2.2: > >Where the backend server FQDN differs from the subjectAltName in > the >certificate, the AAA client may not be able to successfully > determine >whether it is talking to the correct backend > authentication server. > > Why does the AAA client even examine the certificate used within the > EAP method? I think that this problem is one result of the sloppy terminology I mentioned in a previous comment: of course, the AAA server has no business looking at this cert but the EAP server does. The problem arises from the inappropriate conflation of the back-end EAP server and AAA server entities. > > >An EAP authenticator MUST NOT share any keying material with > >another EAP authenticator, since if one EAP authenticator were > >compromised, this would enable the compromise of keying material on > >another authenticator. > > This text needs to be fixed to allow 802.11r style key hierarchies. > Previous text gets this correct.
-
Issue 398: Discuss Bernard Aboba, March 8 2007
- Re: Issue 398: Discuss Glen Zorn (gwz), March 8 2007
Results generated by Tiger Technologies using MHonArc.