The IESG has received a request from the EAP Method Update WG (emu) to consider the following document: - 'EAP Mutual Cryptographic Binding' <draft-ietf-emu-crypto-bind-04.txt> as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-07-25. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract As the Extensible Authentication Protocol (EAP) evolves, EAP peers rely increasingly on information received from the EAP server. EAP extensions such as channel binding or network posture information are often carried in tunnel methods; peers are likely to rely on this information. RFC 3748 is a facility that protects tunnel methods against man-in-the-middle attacks. However, cryptographic binding focuses on protecting the server rather than the peer. This memo explores attacks possible when the peer is not protected from man-in- the-middle attacks and recommends mutual cryptographic binding, a new form of cryptographic binding that protects both peer and server along with other mitigations. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-emu-crypto-bind/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-emu-crypto-bind/ballot/ No IPR declarations have been submitted directly on this I-D.
