Glen, I have to agree with Dorothy's comment. This method should provide for channel binding support. I find your unsubstantiated assertion that doing so wouldbe be absurd uncompelling. You claim that channel bindings are poorly defined. I believe that draft-ietf-emu-chbind brings us most if not all of the way there for some important use cases. However if you take a look at that draft, you'll find that it's a lot better defined for the case where an EAP method will transport the channel binding than for the case where a secure association protocol is used. In particular: 1) The secure association protocol by its nature happens after the access-accept. I've already started a session--told the peer to go ahead with things before channel binding can be confirmed. It's not clear in existing secure association protocols where the EAP server gets to interact with the peer again in order to tell it that channel binding verification has failed. So, it is unclear that the primary purpose of channel binding can be performed in this case. 2) The document does not define sufficient messaging to community with an AAA server to perform channel binding in a secure association protocol. So, basically, I think for channel binding to work it needs to be available in the method. Moreover, whether channel binding is critical in a given deployment is not actually dependent on whether the methods used in that deployment. It's dependent on whether a deployment has multiple situations where a peer could be significantly disadvantaged by authenticating to the wrong NAS. So, I cannot see good criteria for deciding when to add channel binding and when not to add channel binding to new proposed methods. Certainly, part of this is that I'm working on an EAP deployment where channel binding is absolutely critical to the security of the environment. Especially since I don't see how to actually make it work with a secure association protocol, I'm strongly in favor of a requirement to support channel binding in new methods. --Sam _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf