> -----Original Message----- > From: Qin Wu [mailto:sunse...@huawei.com] > Sent: Monday, August 17, 2009 1:29 AM > To: Joseph Salowey (jsalowey); Alper Yegin; emu@ietf.org > Subject: Re: [Emu] EAP and authorization > > > There have been a lot of proposals about EAP and > authorization in the > > past. At its very basis EAP performs authentication at the time of > > service access and the data resulting from the > authentication can then > > be used for authorization and accounting purposes. > > [Qin]: So the data resulting from the authentication not only > can be used in the authentication, but also can be used in > authorization. I wonder what it is called as, authentication > data or authorization data? > On the other hand, the data resulting from authorization also > can be used in the second authentication. > e.g., PEAP uses TLS to create an encrypted tunnel from the > authentication server to the supplicant after verifying the > identity of the authentication server. > Once the encrypted tunnel is established, a second EAP > authorization process occurs inside the tunnel to extend the > TLS connection. Any implemented EAP authorization type > (tokens, passwords, certificates, etc.) can be used as the > client is authenticated in the second EAP authentication > process running inside the TLS connection. > As regarding these data from authorization, what is it called > as, authentication data or authorization data? > [Joe] The differences are subtle and I have used the terms somewhat loosely. If you want to get detailed then authentication data is exchanged to validate data as originating from a particular source. Often what is authenticated is a peer's identity, but other attributes may be authenticated as well (attributes in a certificate for example). The authenticity of these attributes may be validated with varying degrees of certainty. The resulting information that is collected becomes the authorization data used to make authorization decisions.
> >Some of the proposals attempt to enhance this in various ways. > > One way is to carry additional data for use in the authorization > >process. EAP channel bindings are perhaps the simplest form of > >authorization data proposed for EAP. The authorization data is > >directly related to the service which is performing the > >authentication, at the time of authentication and the exchange is > >relatively simple; data sent from client and result response from > >server. This exchange helps to ensure that an > authenticator isn't trying to provide services that it is > > not authorized to. I don't see much purpose in channel bindings if > > they are not used for authorization or accounting for later > forensic > >analysis of authorization after the event. > > > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
