issue 357: Channel Binding Definition

Minor clarification: 

"Channel Binding

A *secure* mechanism for ensuring the correctness of channel
properties
(such as endpoint identifiers) provided to the EAP peer,
authenticator
and server. "

The word secure is to imply that if this data is in fact
sent as a blob
between the peer and server, it must be integrity protected.


Vidya

> -----Original Message-----
> From: Bernard Aboba [mailto:bernard_abobahotmail.com] 
> Sent: Tuesday, May 02, 2006 7:11 AM
> To: eapfrascone.com
> Subject: [eap] Re: issue 357: Channel Binding
Definition
> 
> As Yoshi has pointed out, it may be possible to handle 
> channel bindings by mixing keys so that comparison may
not be 
> required.  How about this?
> 
> "Channel Binding
> 
> A mechanism for ensuring the correctness of channel 
> properties (such as endpoint identifiers) provided to
the EAP 
> peer, authenticator and server. "
> 
>
-----------------------------------------------------------
> Issue 357: Channel Binding Definition
> Submitter name: Vidya Narayanan
> Submitter email address: vidyanqualcomm.com Date
Submitted: 
> May 1, 2006
> Reference: http://lists.frascone.com/pipermail/eap/msg04227.html
> Document: KEYING-12
> Comment type: 'T'echnical
> Priority: '1' Should fix
> Section: 1.2
> Rationale/Explanation of issue:
> 
> The document defines channel binding
> as a communication within an EAP method - this seems a
bit 
> restrictive, given that channel binding information
could be 
> carried out-of-band as well. The only requirement is
that the 
> information be integrity protected between the peer and
server.
> 
> Requested change:
> Change wording to:
> 
> "The communication of integrity-protected channel
properties 
> such as endpoint identifiers which can be compared to
values 
> communicated via out of band mechanisms (such as via a
AAA or 
> lower layer protocol)."
> 
> 
>
____________________________________________________________
_____
> To unsubscribe or modify your subscription options,
please visit:
> http:/
/lists.frascone.com/mailman/listinfo/eap
> 
> Arhives: http://lists.
frascone.com/pipermail/eap
> 
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap

That makes sense.  Do we also need to indicate that the
channel bindings 
need to be the same for all parties?  For example:

"Channel Binding

A secure mechanism for ensuring the synchronization and
correctness of 
channel properties
(such as endpoint identifiers) provided to the EAP peer,
authenticator and 
server."

>Minor clarification:
>
>"Channel Binding
>
>A *secure* mechanism for ensuring the correctness of
channel properties
>(such as endpoint identifiers) provided to the EAP peer,
authenticator
>and server. "
>
>The word secure is to imply that if this data is in fact
sent as a blob
>between the peer and server, it must be integrity
protected.
>
>Vidya


____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap

sounds good.


>From: "Narayanan, Vidya" <vidyanqualcomm.com>
>To: "Bernard Aboba" <bernard_abobahotmail.com>, <eapfrascone.com>
>Subject: RE: [eap] Re: issue 357: Channel Binding
Definition
>Date: Tue, 2 May 2006 12:06:53 -0700
>
>Minor clarification:
>
>"Channel Binding
>
>A *secure* mechanism for ensuring the correctness of
channel properties
>(such as endpoint identifiers) provided to the EAP peer,
authenticator
>and server. "
>
>The word secure is to imply that if this data is in fact
sent as a blob
>between the peer and server, it must be integrity
protected.
>
>Vidya
>
> > -----Original Message-----
> > From: Bernard Aboba [mailto:bernard_abobahotmail.com]
> > Sent: Tuesday, May 02, 2006 7:11 AM
> > To: eapfrascone.com
> > Subject: [eap] Re: issue 357: Channel Binding
Definition
> >
> > As Yoshi has pointed out, it may be possible to
handle
> > channel bindings by mixing keys so that comparison
may not be
> > required.  How about this?
> >
> > "Channel Binding
> >
> > A mechanism for ensuring the correctness of
channel
> > properties (such as endpoint identifiers) provided
to the EAP
> > peer, authenticator and server. "
> >
> >
-----------------------------------------------------------
> > Issue 357: Channel Binding Definition
> > Submitter name: Vidya Narayanan
> > Submitter email address: vidyanqualcomm.com Date Submitted:
> > May 1, 2006
> > Reference: http://lists.frascone.com/pipermail/eap/msg04227.html
> > Document: KEYING-12
> > Comment type: 'T'echnical
> > Priority: '1' Should fix
> > Section: 1.2
> > Rationale/Explanation of issue:
> >
> > The document defines channel binding
> > as a communication within an EAP method - this
seems a bit
> > restrictive, given that channel binding
information could be
> > carried out-of-band as well. The only requirement
is that the
> > information be integrity protected between the
peer and server.
> >
> > Requested change:
> > Change wording to:
> >
> > "The communication of integrity-protected
channel properties
> > such as endpoint identifiers which can be compared
to values
> > communicated via out of band mechanisms (such as
via a AAA or
> > lower layer protocol)."
> >
> >
> >
____________________________________________________________
_____
> > To unsubscribe or modify your subscription
options, please visit:
> > http:/
/lists.frascone.com/mailman/listinfo/eap
> >
> > Arhives: http://lists.
frascone.com/pipermail/eap
> >


____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap