Hi, Sam
I have the following questions concerning your new draft on mutual crypto
binding
1."What name types are supported and what configuration is easy to perform
depends significantly on the peer in question."
The issue comes when human beings are involved to verify a certifcate, but
if the checking procedure is implemented in software on the peer's side,
not verifying or ignoring the server's
certificate should not be a problem.
2. Section 3.2.4 "The MSK and EMSK for the tunnel depend on the MSK and
EMSK of
inner methods."
Does it means tunnel method has to support MSK and EMSK?
3. "but MUST NOT prevent an attacker who is unaware of the inner MSK from
forcing a bid-down
to MSK-based cryptographic binding."
Why MUST NOT? Is here a typo?
4. Section 4.2. "Services such as channel binding should be deferred until
after
cryptographic binding/mutual cryptographic binding."
Can't they happen simultaniously to save roundtrips?
5. Can I understand your mutual cryptographic binding as cryptographic
binding with MSK replaced by EMSK?
If not, what is the difference besides MSK and EMSK?
6. Since tunnel method using mutual cryptographic binding is already quite
strong authentication method,
what is the use of the inner EAP method?
7. This question might be similar to Question 6, since server
authentication by verifying certificate is not considered the unique one,
then what else authentication mechnisms can be used? Ones based on
password or preshared key?
If password or preshared key is used, is it the same credential with the
inner EAP method?
If the tunnel and inner method share the same credential, then isn't it a
bit redundant for two authentication?
Why not just upgrade weak EAP method to stronger ones? Since upgrading is
unavoidable if we want to protect weak ones with tunnel methods.
If the tunnel and inner method have different credential, then simple EAP
is becoming more complicated, is it really needed?
Regards~~~
-Sujing Zhou
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
