Hi Bernard, ________________________________ From: Bernard Aboba [mailto:bernarda@xxxxxxxxxxxxxxxxxxxxx] Sent: Sunday, February 18, 2007 6:49 AM To: Narayanan, Vidya; Dondeti, Lakshminath; Sam Hartman Cc: Dan Harkins; ietf@xxxxxxxx Subject: RE: comments on draft-houseley-aaa-key-mgmt-07.txt Vidya said: "In my understanding, Dan's claim is that the server is unable to detect that an authenticator is claiming an incorrect identity and by virtue of that, if the authenticator claims the false identity to both the peer and the server, a key will be provided to the authenticator and that will match the key that the peer derives, even if the identity was part of the key derivation. This is the problem that I have detailed in my earlier email and I belive that can be resolved with the text I proposed. " This problem will exist whenever the peer does not receive an indication of whether an authenticator is authorized. For example, where the AAA exchange is bypassed, the backend server does not receive the authenticator identity claim so that there is no mutual authentication between the authenticator and server, no verification of the authenticator identity by the server, and no channel binding exchange. <Vidya> Yes. Also, when RADIUS proxies are present, for instance, the AAA exchange and protection may only be hop-by-hop, right? In that case, I would think that the SA is not tied to the NAS ID - would the result of that also not be that the authenticator identity ends up not being explicitly authenticated? Thanks, Vidya _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf