>>>>> "Jim" == Jim Schaad <[email protected]> writes:
It's absolutely critical for mutual authentication that we have EAP
channel binding. That goes between the peer/initiator/subject and the
IDP/EAP server.
That is independent of GSS channel binding which goes between the
initiator/subject/peer and the RP/acceptor.
Jim> Jim> Since we don't have the channel binding data for the IdP to
Jim> compare unless the channel is going to produce it. There is no
Jim> channel binding data from the GSS-EAP mechanism until the MSK
Jim> is created. This would not be an issue if we were comparing
Jim> text names, but then we have the issue of the difference
Jim> between the DNS name used by the client and the AAAA realm name
Jim> used by the RP.
OK, so we also have confusion about channels. EAP channel binding
describes properties of the EAP lower layer--in our case the GSS
exchange. The attributes we care about with regard to this channel are
(at least so far) the acceptor name.
The other channel, over which we apply GSS channel binding, is between
the subject and RP. That's the channel that might be TLS. There', the
attributes we care about are things like the server certificate or the
hash of the finish messages.
GSS and EAP channel binding are even more different than is implied so
far. It's not just that the channel is different and the attributes
we're talking about are different. GSS channel binding is intended to
detect a man-in-the-middle attack. EAP channel binding does make sure
that both ends of a connection have a consistent idea of naming.
However it's not really about detecting man in the middle attacks, but
more about maintaining consistency in a complex multi-party system.
Continual apologies for the terminology confusion. The EAP and GSS
communities independently came up with the term channel binding and
didn't realize the conflict until it was well established in both
communities.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
