It is possible to add, at later stage, an interopelable channel bindings mechanism that can work with old clients and servers, by using EAP-EXT method with running any EAP authentication method inside it.
Yoshihiro Ohba On Fri, Sep 14, 2007 at 08:55:26AM -0400, Sam Hartman wrote: > > > Hi. > > One of EMU's goals is to produce methods that meet requirements of RFC > 4962 and hopefully the EAP keying framework. > > I've been a bit concerned about what you are going to do about channel > bindings. It seems clear that EAP channel bindings are not mature > enough that we want to require all your methods support > them--especially not the EAP TLS draft that is on my plate now. > However channel bindings seem important for meeting the RFC 4962 > requirements to authenticate all parties and limit the key scope. > > > So, how do we proceed? > I was discussing the issue with Tim, Russ and Jari. > They had what I think is good advice. > > I'm going to ask that you show that it would be possible to extend any > method you send to me to support channel bindings in an interoperable > manner in the future. I would want to understand that it is possible > to make it work with old clients or old EAP servers. Once I'm > convinced it is possible to add in the future, I will be OK on the > channel bindings issue. > > does this seem reasonable? > > Sam Hartman > Security Area Director > > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www1.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
