One more issue…
Uses of EAP for Application-Layer Access Ongoing work in the IETF (abfab working group) specifies the use of EAP over GSSAPI for generic application layer access. In the past, using EAP in this context has met resistance due to the lack of channel bindings [RFC6677]. Without channel bindings, a peer cannot verify if an authenticator is authorized to provide an advertised service. >>> In most network access use cases all access servers that are served by a particular EAP server are providing the same or very similar types of service. The peer does not need to differentiate between different access network services supported by the same EAP server. <<< The statement conveyed by those last two sentences are not accurate. The services provided across different access networks can vary a lot. The simplest example is WiFi roaming. You could be using the same subscription across the globe, but each time you may be accessing the Internet via a distinct WiFi operator. Now, the authors may feel reluctant to mandate channel binding on the network access authentication case as well. But at least, they shouldn't include a statement like the one above, which claims channel binding is not necessary for the network access case. Alper
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
