-on-channel-binding-01.txt: EAP channel bindings
Hi Sam,
Here is my take on this topic:
After having reviewed draft-williams-on-channel-binding-01, I feel
that putting EAP in scope of that document would require a rather
involved revision of the document. As Charles noted it might require
further
Below are diffs to draft-williams-on-channel-binding-01.txt including:
- Alexey Melnikov's IANA text
- Fixes to Eric Gray's nits
- New text about EAP channel binding
- A clarification requested by Sam: this doc describes a generic notion
of channel binding, not [just] the GSS-API's
Please
On Mon, April 9, 2007 6:38 pm, [EMAIL PROTECTED] wrote:
Charles == Charles Clancy [EMAIL PROTECTED] writes:
Charles Sam Hartman wrote:
Charles == Charles Clancy [EMAIL PROTECTED] writes:
Charles I don't think I'm convinced that EAP channel bindings are
Charles doing this
On Mon, Apr 16, 2007 at 01:10:32AM -0500, Nicolas Williams wrote:
- New text about EAP channel binding
Actually, some of that text is incorrect -- I misunderstood the lying
NAS issue: it's not about MITM attacks but about making sure that the
client knows the correct name for the NAS so that it
On Fri, Apr 13, 2007 at 07:52:17PM -0400, Charles Clancy wrote:
Sam Hartman wrote:
The more I
read what you, Bernard and Charles say, the more I'm convinced that I
agree with your description of EAP and that my text is correct. The
more I talk, the more you're convinced that my text is
Lakshminath == Lakshminath Dondeti [EMAIL PROTECTED] writes:
I think that having a single abstraction that can describe
what went by multiple names in different areas can be very
useful because it facilitates cross-area communication. And
missing an opportunity to point out
Sam Hartman wrote:
The more I
read what you, Bernard and Charles say, the more I'm convinced that I
agree with your description of EAP and that my text is correct. The
more I talk, the more you're convinced that my text is wrong.
We're talking past each other somehow.
I think your text was
Hi Sam,
Here is my take on this topic:
After having reviewed draft-williams-on-channel-binding-01, I feel
that putting EAP in scope of that document would require a rather
involved revision of the document. As Charles noted it might require
further abstraction of the concept of channel
On Wed, Apr 11, 2007 at 11:03:29PM -0700, Lakshminath Dondeti wrote:
After having reviewed draft-williams-on-channel-binding-01, I feel
that putting EAP in scope of that document would require a rather
involved revision of the document. As Charles noted it might require
further abstraction
Hi Nico,
Please see inline:
Nicolas Williams wrote:
On Wed, Apr 11, 2007 at 11:03:29PM -0700, Lakshminath Dondeti wrote:
After having reviewed draft-williams-on-channel-binding-01, I feel
that putting EAP in scope of that document would require a rather
involved revision of the document. As
On Mon, April 9, 2007 3:38 pm, [EMAIL PROTECTED] wrote:
[snip]
I'd define the EAP channel binding problem as follows. There are two
sets of identities that the peer and authenticator use: one at the EAP
layer and one at a lower layer. There is an additional identity that
the authenticator
On Sat, Apr 07, 2007 at 04:44:54PM -0400, Charles Clancy wrote:
This is one of the fundamental issues with EAP channel bindings. The
NAS ID is bound to the AAA security association between the
authenticator and the EAP server. The MAC address is visible to the
client. Thus the peer and
to be an L2 identity. It can be any identity that's meaningful to the
parties involved, and can serve as the basis for making authorization
decisions.
As long as it's cryptographically bound to the L2 channel and that
channel provides suitable protection for the EAP method doing the EAP
Sam Hartman wrote:
Charles == Charles Clancy [EMAIL PROTECTED] writes:
Charles I don't think I'm convinced that EAP channel bindings are
Charles doing this binding to the L2 channel. The identity used
Charles in an EAP channel binding must be bound to the AAA
Charles security
Sam,
In skimming through Nico's draft, it looks like EAP's crypto bindings look
something like GSS channel bindings.
EAP's channel bindings, on the other hand, don't really look like GSS
channel bindings. In order for EAP's channel binding to look like GSS
channel binding, EAP channel binding
Charles == Charles Clancy [EMAIL PROTECTED] writes:
Charles Sam Hartman wrote:
Charles == Charles Clancy [EMAIL PROTECTED] writes:
Charles I don't think I'm convinced that EAP channel bindings are
Charles doing this binding to the L2 channel. The identity used
Charles
Hi.
For the last couple of years, we've been believing that EAP and GSS
used the term channel bindings inconsistently. For those of us
dealing with both, it's been a bit annoying.
I've been thinking about EAP a lot lately. and have come to the
conclusion that actually the terms are used
On Fri, Apr 06, 2007 at 02:41:09PM -0400, Charles Clancy wrote:
Sam,
In skimming through Nico's draft, it looks like EAP's crypto bindings look
something like GSS channel bindings.
Note: my I-D does not describe GSS channel binding -- it describes
channel binding. The reference to GSS
Sam,
Your observation is brilliant. Yes, I agree, EAP channel binding and
EAP cryptographic binding map to what my draft calls end-point
channel binding and unique channel binding, respectively. I had not
noticed this before.
Also, I think my draft's definition of end-point channel bidning
Nicolas == Nicolas Williams [EMAIL PROTECTED] writes:
Nicolas Also, I think my draft's definition of end-point channel
Nicolas bidning needs to be tightened just a bit: not only must
Nicolas the end-point IDs be cryptographically bound into the
Nicolas channel, it must also be
Charles == Charles Clancy [EMAIL PROTECTED] writes:
to be an L2 identity. It can be any identity that's
meaningful to the parties involved, and can serve as the basis
for making authorization decisions.
As long as it's cryptographically bound to the L2 channel and
that
21 matches
Mail list logo