|
List Info Thread: ISSUE: Key Scope and EAP server Authorization
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
ISSUE: Key Scope and EAP server Authorization |
|
List Info Thread: ISSUE: Key Scope and EAP server Authorization
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
cisco.com
Date first submitted: 05/03/2006
Reference:
Document: Keying Framework
Comment type: 'T'echnical
Priority: '1' Should fix
Section: 2.2.1 and 3.2
Rationale/Explanation of issue:
Section 1.4.1 correctly defines the scope of the EAP keying
material as
being defined by the EAP Peer and EAP server, however this
relationship
is not carried out in other key scope discussions as far as
I can tell.
In order for channel binding, key mixing etc. to work the
peer must make
sure that the key is used not just within the authorized
parameters of
the lower layer, but of the authorized scope of the EAP
server as well.
I'm not sure of all of all the places where this needs to
be addressed,
but I think it needs to be addressed in section 2.2.1
perhaps by adding
"[g] Verifying that the advertised scope is within the
scope that the
EAP server is allowed to authorize"
Section 3.2 should probably state somewhere that:
"The peer should verify that the key scope advertised
by the
authenticator is within the scope that is allowed to be
authorized by
the EAP Server."
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit: