Hi. While working on the Moonshot Implementation of EAP Channel Bindings, Margaret Wasserman discovered some attacks. We've been working on refining these attacks and put together a draft with our analysis. Please see draft-hartman-emu-mutual-crypto-bind
This is not a protocol flaw in EAP Channel Bindings or the ABFAb core specs. However, it is a serious concern in adding EAP Channel Binding to existing EAP methods. so, it's something that we should cover in describing how EAP should be used for application authentication. This isn't a show stopper for Moonshot. The Moonshot Project can work around this for its implementation. Similarly, I believe that enough certificate validation will avoid this issue for people using ABFAB with PLASMA. However, this is a fairly serious issue for the EAP community as a whole. It's very easy to deploy things in a manner where channel bindings don't provide security. We think the ABFAB community should track this issue. we'd ask that discussion take place on the [email protected] list. Thanks for your consideration, --Sam _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
