Alan: I don't think we have a cryptographic binding WG work item, but a channel binding one. However, the crypto-binding requirement is captured in the Tunnel method requirement draft, as it is required to run a single tunneled EAP method or chained ones.
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Thursday, June 05, 2008 11:24 AM > To: Josh Howlett > Cc: emu@ietf.org > Subject: Re: [Emu] Tunnel Method (Current WG Work item status) > > Josh Howlett wrote: > > Am I correct in understanding that section 3.3 ('Chained > EAP Methods') > > is not a violation of RFC3748 because it only applies to methods run > > *within* the tunnel method itself, and not to other methods > that might > > precede or follow the tunnel method? In other words, this is not an > > attempt to change the behaviour stipulated in RFC3748? > > That would be my understanding. Section 2.1 of RFC 3748 also says: > > Multiple authentication methods within an EAP conversation are not > supported due to their vulnerability to man-in-the-middle attacks > (see Section 7.4) and incompatibility with existing > implementations. > > And Section 7.4 says: > > As noted in Section 2.1, EAP does not permit untunneled > sequences of > authentication methods. > > Due to MITM attacks, which may be mitigated by: > > [b] Requiring cryptographic binding between the EAP tunneling > protocol and the tunneled EAP methods. > > Hence the current WG work items on cryptographic binding. > > Alan DeKok. > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
