You probably haven't read section 5.3 of draft-ietf-emu-chbind-07. Please do before reading this message.
The initiator will send EAP channel binding data to the EAP server including what it knows of the acceptor name. Typically this will be the service and hostname. Often the initiator will not know the realm name. The EAP server needs to indicate back to the acceptor what attributes were used in channel binding with a successful response. Typically the EAP server won't be able to verify the hostname. Instead, a proxy near the acceptor will verify the host name and assert a realm and the EAP server will verify the realm. So, what should the EAP server return? It seems fairly obvious that it should include the service name if that was verified. One argument is that it should include the host name even though it is not directly verified. The rationale here is that the system as a whole has verified the host name. The server could include the realm. The rationale is that is what is actually verified. The server could include both. I think my preference is that the server include the host name and not the realm. Including the realm seems a bit problematic because we may have some different structure in the future and the host name verification may not mirror the realm. So, codifying in our spec that sometimes clients learn that a hostname is verified via the realm seems problematic. I don't like the option of including both the hostname and the realm. It seems non-ideal to include attributes in the response that the client did not include both for bandwidth and complexity reasons. What do others think? _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
