>>>>> "Alper" == Alper Yegin <alper.ye...@yegin.org> writes:
>> authentication. The first is that EAP >only authenticates the >> home realm; it does not authenticate what >service youĆ¹re >> going to. So you might try to connect to your >e-mail and end up >> giving something access to your stored files and >pictures >> instead. That is, EAP has aphishing exposure in the >federated >> context. If the only thing you can get by using EAP is >network >> access, that exposure is only moderate. However in a fully >> >federated environment that is a huge exposure. Moonshot will >> address >thisproblem by using EAP channel binding Alper> "Channel binding" is a term that is specific to the network Alper> access application. For generic applications, we need Alper> something else. Basically we are talking about "authorization Alper> parameters." App server has verified that you are Joe, and Alper> you are allowed to use X, Y, Z apps/resources. This Alper> "authorization" aspect goes beyond "authentication" (as in Alper> extensible "authentication" protocol). This aspect may not be Alper> easy to stick in the EAP. When I'm speaking of channel binding, I am not speaking of that sort of authorization. i'm speaking of giving the peer (not the NAS) confidence that the peer has connected to the NAS that the peer intended to connect to. I argue that when you generalize the NAS so that the NAS is a mail server, web server, or other app server, the question of which generalized NAS you're talking to is far more important than in the network access application. I believe that both RFC 3748 and draft-ietf-emu-chbind define this problem as channel binding. At one level, I don't care what we call it: we need to solve it. Alper> and by doing the necessary >> >work to make that a viable solution. The second concern is that >> >interoperability is reduced when you have multiple >> authentication >approaches for the same problem. If EAP is going >> to be used for >application authentication, we need to understand >> how it relates to >the rest of the application authentication >> metasystem. Moonshot >proposes such a relationship, addressing my >> objection. Alper> Not sure I understand. EAP-based scheme will still appear as Alper> N+1st method. I don't understand your comment here. It may be something better discussed over the phone or something, although I'm happy to keep e-mailing on this. >> 8. Applicability Considerations >> >> Section 1.3 of RFC 3748 provides the applicability statement for >> EAP. Among other constraints, EAP is scoped for use in network >> access. This specification anticipates using EAP beyond its >> current scope. The assumption is that some other document will >> discuss the issues surrounding the use of EAP for application >> authentication and expand EAP's applicability. That document >> will likely enumerate Alper> Is this document available? Which document? The proposed applicability statement for EAP? No, I'm hoping that we can work on that in the WG we charter; would you be interested in helping with that document? Or are you talking about draft-howlett-eap-gss? If so, yes, that is in the ID repository? Or were you talking about the feasability analysis? If so, there is a link from www.painless-security.com/blog and will soon be a link from www.project-moonshot.org . I'd definitely be interested in a discussion with you about these issues. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu