Hi Nico,
Please see inline:
Nicolas Williams wrote:
On Wed, Apr 11, 2007 at 11:03:29PM -0700, Lakshminath Dondeti wrote:
After having reviewed "draft-williams-on-channel-binding-01," I feel
that putting EAP in scope of that document would require a rather
involved revision of the document. As Charles noted it might require
further abstraction of the concept of channel binding as defined in
draft-williams.
Now, I must say, I do see the similarities between the two notions of
channel binding. But the EAP/AAA model is unique and it is not easy to
map it to the other, let's say simpler, security models. The notion of
compound binding or crypto binding also has some similarities to the
notion of channel binding in draft-williams-on-channel-binding-01, but
there are also some differences.
Overall though, since expanding draft-williams-on-channel-binding-01's
scope to EAP means that the requirements, recommendations and
suggestions of Section 2.1 may be applied to EAP channel binding, it
would be a rather painful exercise to sort it all out. For now, I am
comfortable with the guidance in Section 7.15 of 3748.
My impression was that Sam's suggested text was introductory and
informative, and not at all intended to cause this doc to normatively
constrain EAP.
The draft is standards track and there is a lot of 2119 language in there.
I think that having a single abstraction that can describe what went by
multiple names in different areas can be very useful because it
facilitates cross-area communication. And missing an opportunity to
point out how two things are more similar than they look would help
perpetuate a perception that those two things are more different than
they actually are.
I can see your point of view. The other thing to worry about is that
the more we try to cover under a single abstraction, the more watered
down it might become to satisfy all viewpoints of applicability to all
of the domains. In fact, I find the requirements and recommendations in
the draft troublesome.
As I thought about it, perhaps here is something that might make sense:
Define channel binding so that we can cover all uses of that term.
Define properties and specify how one can achieve those properties. Not
sure this next one needs to be done in the current draft, define which
properties apply to which protocol. Alternatively, different protocol
drafts may specify which of the properties are required or recommended
in each case.
Does that make sense?
I know I am suggesting this, but until something like that is written, I
am not sure we can get there (haven't put enough thought into whether a
common consensus abstraction is possible here or not). As I noted in my
review of your draft, EAP model is different from some of the other
security models in the IETF.
best regards,
Lakshminath
Nico
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf