> On Jun 6, 2012, at 12:09 PM, Sam Hartman wrote: > > > I don't believe that existing crypto binding is adequate for NEA's needs > > as discussed in draft-hartman-emu-mutual-crypto-binding. > > > > Unfortunately, though, I'm not sure that tls-unique helps enough here. If > > the outer method actually does provide server authentication as > > deployed, then tls-unique is adequate. TLS-unique is preferable to > > crypto-binding because it allows you to determine whether you're talking > > about the right tunnel in the scope of the inner method--prior to doing > > the NEA assessment--rather than in the scope of the outer method. (Also, But it said nea-pt-eap might come right after an inner EAP method, so crypto binding might be needed to bind tunnel and inner methods.
tls-unique in the draft is used in higher layer (by broker) to bind the EAP tunnel channel with application layer. > > I'd assume this method does not generate a particularly useful key, so > > crypto binding is not that helpful) As far as I know, the nea-pt-eap method is not an authentication method, it is just used to transfer information, similar to EAP Identity > > > > However, if you're depending on something other than the outer method > > for server authentication, then TLS-unique is not good enough. The secure transfer of nea-pt-eap depends entirely on EAP tunnel method, so the EAP tunnel method is required to provide strong authentication, integrity and confidentiality protection. Sujing Zhou
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
