Issue 352: Channel Binding Issue

> -----Original Message-----
> From: Yoshihiro Ohba [mailto:yohbatari.toshiba.com] 
> Sent: Tuesday, May 02, 2006 4:23 PM
> To: Salowey, Joe
> Cc: Bernard Aboba; yohbatari.toshiba.com; eapfrascone.com
> Subject: Re: [eap] Re: Issue 352: Channel Binding Issue
> 
> On Tue, May 02, 2006 at 04:23:22PM -0700, Salowey, Joe
wrote:
> > Hmmm... 
> > 
> > Peer gets MSK from EAP and mixes it with Y to get
MSKY 
> > Authenticator gets mixed MSKY in exisitng AAA
attribute, 
> since this is
> > an exisitng attribute it thinks it is just the MSK
and 
> mixes it with Y
> > to get MSKYY.  MSKY and MSKYY don't match.
> 
> There is some misunderstanding.  If the authenticator
is supposed to
> further mix Y to get MSKYY from MSKY, then the peer is
also supposed
> to further mix Y to get MSKYY from MSKY.
> 
[Joe] Yes, but how does the authenticator know if the mixing
has been
done by the AAA or if it has to do the mixing. 

> Yoshihiro Ohba
> 
> 
> 
> > 
> > It seems to me a separate attribute would really
be better. 
> > 
> > 
> > > -----Original Message-----
> > > From: Bernard Aboba [mailto:bernard_abobahotmail.com] 
> > > Sent: Tuesday, May 02, 2006 3:58 PM
> > > To: yohbatari.toshiba.com; Salowey,
Joe
> > > Cc: eapfrascone.com
> > > Subject: Re: [eap] Re: Issue 352: Channel
Binding Issue
> > > 
> > > Right.  The method just outputs the MSK/EMSK.
 As long as the 
> > > same MSK is 
> > > outputted on both the EAP peer and server,
the authenticator 
> > > doesn't need to 
> > > know what channel bindings were mixed in.
> > > 
> > > 
> > > >From: Yoshihiro Ohba <yohbatari.toshiba.com>
> > > >To: "Salowey, Joe"
<jsaloweycisco.com>
> > > >CC: Bernard Aboba <bernard_abobahotmail.com>, 
> > > yohbatari.toshiba.com,      
> > > >   eapfrascone.com
> > > >Subject: Re: [eap] Re: Issue 352: Channel
Binding Issue
> > > >Date: Tue, 02 May 2006 18:55:29 -0400
> > > >
> > > >On Tue, May 02, 2006 at 03:21:19PM -0700,
Salowey, Joe wrote:
> > > > > I'm not sure that carrying
"mixed" MSKs in existing 
> > > attributes is such a
> > > > > good idea,  how does the
authenticator know what it 
> is getting?
> > > >
> > > >I don't think the authenticator needs to
know whether the 
> > > received key
> > > >is the MSK or mixed MSK, as long as both
the peer and 
> authenticator
> > > >obtains the same key.
> > > >
> > > >Yoshihiro Ohba
> > > >
> > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Bernard Aboba
[mailto:bernard_abobahotmail.com]
> > > > > > Sent: Tuesday, May 02, 2006
12:27 PM
> > > > > > To: yohbatari.toshiba.com
> > > > > > Cc: eapfrascone.com
> > > > > > Subject: Re: [eap] Re: Issue
352: Channel Binding Issue
> > > > > >
> > > > > > >Thank you for reading the
document.  And the 
> answer is, if the
> > > > > > >generated
"mixed" MSKs are carried in the existing AAA 
> > > attributes
> > > > > > >instead of carrying the
MSKs, then no AAA attributes 
> > > or communication
> > > > > > >flow is required for EAP
keying.
> > > > > >
> > > > > > It might be worth saying a few
words about this in the
> > > > > > paragraph.  Overall,
> > > > > > I'm not sure whether the
Channel Binding text in 
> the document
> > > > > > is all that
> > > > > > consistent/comprehesive.
> > > > > >
> > > > > >
> > > > > > 
> > >
____________________________________________________________
_____
> > > > > > To unsubscribe or modify your
subscription options, 
> > > please visit:
> > > > > > http:/
/lists.frascone.com/mailman/listinfo/eap
> > > > > >
> > > > > > Arhives: http://lists.
frascone.com/pipermail/eap
> > > > > >
> > > > >
> > > > >
> > > 
> > 
> > 
> 
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap

Issue 352: Channel Binding Issue

Thread: Issue 352: Channel Binding Issue