Hi Steve,
I don't think what you're talking about falls into the definition
of "channel binding", at least not the one I have, and I wouldn't be
surprised if others (like maybe people on the IESG) agree. And I
agree with Dave, and Glen, that this isn't authentication either.
"channel bindi
Dan Harkins wrote:
> "channel bindings" are supposed to solve the lying NAS problem*
> which is an issue of authentication (is this guy really who he claims
> to be?). What you want to do is use the EAP tunnel to transfer other
> kinds of data to do NEA posture checking. And, yes, we should deter
David Mitton wrote:
>> The main limitation on bulk data transfer is that most EAP to
>> RADIUS gateways (AP's, etc.) will terminate an EAP session after ~50
>> packets.
>
> This kind of thing drives me crazy. Why are their such policies?
To prevent bulk transfer of data over EAP, among others.
Hi Alan,
On Sun, August 16, 2009 1:09 am, Alan DeKok wrote:
> Dan Harkins wrote:
>> "channel bindings" are supposed to solve the lying NAS problem*
>> which is an issue of authentication (is this guy really who he claims
>> to be?). What you want to do is use the EAP tunnel to transfer other
Actually, in the email that you responded to, I was referring to
the EMU working group item in the current charter:
- A document that defines EAP channel bindings and provides guidance
for establishing EAP channel bindings within EAP methods.
I hope that we can both agree that this falls within o
Dan Harkins wrote:
> Authentication has to do with proving an identity. Authorization has
> to do with determining whether that proven identity is "good" or "bad".
That's a clear explanation.
> I'm not sure what sites do what but I'm not aware of an EAP method
> that checks a username and a
Hi Steve,
On Sun, August 16, 2009 9:43 am, Stephen Hanna wrote:
> I do not agree that EAP channel bindings are about
> authentication. They have two parts: checking whether
> the NAS is advertising services that it's not
> authorized to advertise and using information from
> the NAS (like which
Dan Harkins wrote:
> On Sun, August 16, 2009 9:43 am, Stephen Hanna wrote:
> > I do not agree that EAP channel bindings are about
> > authentication. They have two parts: checking whether
> > the NAS is advertising services that it's not
> > authorized to advertise and using information from
> > th
On 8/16/2009 04:30 AM, Alan DeKok wrote:
David Mitton wrote:
>> The main limitation on bulk data transfer is that most EAP to
>> RADIUS gateways (AP's, etc.) will terminate an EAP session after ~50
>> packets.
>
> This kind of thing drives me crazy. Why are their such policies?
To prevent bul
All,
> I agree that EAP was originally defined solely for the purpose
> of authentication. I agree that it is wise for us to consider
> carefully whether we want to also allow it to be used to carry
> information that is useful in authorization. While I believe that
> this is a good idea, I think
Hi,
>> >> The main limitation on bulk data transfer is that most EAP to
>> >> RADIUS gateways (AP's, etc.) will terminate an EAP session after ~50
>> >> packets.
>> >
>> > This kind of thing drives me crazy. Why are their such policies?
>>
>> To prevent bulk transfer of data over EAP, among oth
11 matches
Mail list logo
