> [Joe] Good points, the text can be more specific:
>
> "In environments where EAP is used for purposes other than network access
> authentication all EAP servers MUST enforce channel bindings. For application
> authentication, the EAP server MUST require that the correct EAP lower-layer
> attribute be present in the channel binding data. For network access
> authentication, the EAP server MUST require that if channel bindings are
> present they MUST contain the correct EAP lower-layer attribute. All network
> access EAP peer implementations SHOULD use channel bindings including the EAP
> lower-layer attribute to explicitly identify the reason for authentication.
> Any new usage of EAP MUST use channel bindings including the EAP lower-layer
> attribute to prevent confusion with network access usage. "
This is looking good, modulo Sam's comment on EAP lower-layer vs. something
else that I'll leave to you and he to sort out. I have a suggested rewrite,
mostly to clarify MUST vs. SHOULD requirements for support vs. usage, and
to reformat into a structured bullet list of requirements (this is not
intended to change any requirements from what you wrote):
"In environments where EAP is used for purposes other than network access
authentication:
o All EAP servers and all application access EAP peers MUST
support channel bindings. All network access EAP peers
SHOULD support channel bindings.
o Channel binding MUST be used for all application authentication.
The EAP server MUST require that the correct EAP lower-layer
attribute be present in the channel binding data for
application authentication.
o Channel binding SHOULD be used for all network access authentication,
and when channel binding data is present, the EAP server MUST
require that it contain the correct EAP lower-layer attribute
to explicitly identify the reason for authentication.
o Any new usage of EAP MUST use channel bindings including the
EAP lower-layer attribute to prevent confusion with network
access usage."
Thanks,
--David
> -----Original Message-----
> From: Joseph Salowey (jsalowey) [mailto:[email protected]]
> Sent: Tuesday, June 18, 2013 1:47 PM
> To: Black, David
> Cc: [email protected]; General Area Review Team; [email protected];
> [email protected]
> Subject: Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
>
> >>
> >> I think we could state this a bit better as something like:
> >>
> >> "In environments where EAP is used for applications authentication and
> >> network
> >> access authentication all EAP servers MUST understand channel bindings and
> >> require that application bindings MUST be present in application
> >> authentication and that application bindings MUST be absent in network
> >> authentication. All network access EAP peer implementations SHOULD
> >> support
> >> channel binding to explicitly identify the reason for authentication. Any
> >> new
> >> usage of EAP MUST support channel bindings to prevent confusion with
> >> network
> >> access usage. "
> >
> > That text is an improvement, and it's headed in the same direction as Sam's
> > comment - "application bindings MUST be present in application
> > authentication"
> > is a "MUST use" requirement, not just a "MUST implement" requirement.
> >
> > OTOH, I'm not clear on what "application bindings" means, as that term's not
> > in the current draft. Specifically, I'm a bit unclear on "application
> > bindings
> > MUST be absent in network authentication" - does that mean that channel
> > binding must be absent, or that channel binding is optional, but if channel
> > binding is present, it MUST NOT be an "application binding", whatever that
> is?
> >
>
> [Joe] Good points, the text can be more specific:
>
> "In environments where EAP is used for purposes other than network access
> authentication all EAP servers MUST enforce channel bindings. For application
> authentication, the EAP server MUST require that the correct EAP lower-layer
> attribute be present in the channel binding data. For network access
> authentication, the EAP server MUST require that if channel bindings are
> present they MUST contain the correct EAP lower-layer attribute. All network
> access EAP peer implementations SHOULD use channel bindings including the EAP
> lower-layer attribute to explicitly identify the reason for authentication.
> Any new usage of EAP MUST use channel bindings including the EAP lower-layer
> attribute to prevent confusion with network access usage. "
>
> Does this help?
>
> Thanks,
>
> Joe
>
