Abstract. 1. Expand the EAP and ABFAB 2. Do you really want to talk about the use cases in the sentence?
Uses of EAP for Application-Layer Access 1. It is not clear to me that using channel bindings informs the peer what services are provided by an authenticator. What I think is given is that the peer can validate that A specific service is provided. 2. para #2 says that which service is needed, but the previous paragraph is talking about different services not different qualities of a specific service. I don't think this follows well. 3. Swapping sentences 2 and 3 in para #2 might be reasonable - this describing that the quality of service can be important and then giving an example of why that is true. 4. Do we have the ability to discuss the security implications in channel binding? In order for this to be true you need to have the ability to have a distinct name of the service between the low and high value versions of the same service. This would mean multiple names for the "print" service. It is not clear that this is how people are going to do this. 5. After reading this for a while, I think that part of my problem is that I am picking up a different meaning for the word service. I think of service as a print service, not of as "The high security print service running on machine foo.example.com". If this is the case then that might be the clarification that removes the above comments. 6. I think that you might talk about the cases where channel binding COULD be required even for network authentication. The fact that it is not required does not mean that it cannot be used. One issue is going to be how an IdP identifies a network authentication service from a different service for the purposes of deciding if channel binding is going to be required. 7. Is it just important to prove that the EAP MSK is mutually held, or is it REQUIRED? What are the implications of not doing so? Security Considerations 1. When doing channel binding, it is highly desirable (required?) that the authenticator is not able to modify (and potentially to see?) the channel binding data passed from the peer to the authenticator (or reverse) as part of the authentication process. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
