|
List Info Thread: Re: Issue 398: Discuss
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Re: Issue 398: Discuss |
|
List Info Thread: Re: Issue 398: Discuss
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
hotmail.com> allegedly
scribbled on
Thursday, March 08, 2007 4:05 PM:
...
> In section 2.2:
> >Where the backend server FQDN differs from the
subjectAltName in
> the >certificate, the AAA client may not be able to
successfully
> determine >whether it is talking to the correct
backend
> authentication server.
>
> Why does the AAA client even examine the certificate
used within the
> EAP method?
I think that this problem is one result of the sloppy
terminology I
mentioned in a previous comment: of course, the AAA server
has no
business looking at this cert but the EAP server does. The
problem
arises from the inappropriate conflation of the back-end EAP
server and
AAA server entities.
>
> >An EAP authenticator MUST NOT share any keying
material with
> >another EAP authenticator, since if one EAP
authenticator were
> >compromised, this would enable the compromise of
keying material on
> >another authenticator.
>
> This text needs to be fixed to allow 802.11r style key
hierarchies.
> Previous text gets this correct.
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit: