eap Mailing List: Issue: Section 5.5 Authorization Requirement

[Bernard_Aboba (Bernard_Aboba]

Looking over the document, I found a statement in Section 5.5 that
was not present in -18 or in RFC 4962, which I think the WG needs
to look at:

"  Requirement: The Secure Association Protocol (phase 2) conversation
  may utilize different identifiers from the EAP conversation (phase
  1a), so that binding between the EAP and Secure Association Protocol
  identities is REQUIRED."

Since the paragraphs below this quote from RFC 4962, it seems that this
statement is intended to add something beyond what is included in RFC 4962.
However, I'm not clear what that is, exactly.

Typically, the term "binding" refers to a cryptographic binding, but no 
existing
EAP lower layer (even IKEv2) supports binding of EAP method-specific 
identities
within the Secure Association Protocol.  In fact, RFC 4718 Section 3.5 
discusses why the
Identity Payload exchange in IKEv2 may be insufficient to establish the 
binding.

EAP lower layers such as 802.11 establish the binding by requiring that the
EAP peer utilize the same MAC source address for EAP as for the 4-way 
handshake.
Since within 802.11 PMKs can only be used on a single peer interface, 
addition
of the Peer-Id to the 4-way handshake would not add much.

Given that the authorization issue is extensively discussed elsewhere, I'm 
not clear
what this statement adds.