The changes in draft-ietf-emu-chbind-15.txt satisfactorily address almost all of the comments in my April 13, 2012 secdir review. I do have one remaining substantive comment on this latest draft and two non-substantive ones. Substantive Comment ------------------- The last paragraph of section 9.1 points out a security problem with implementing channel bindings using EAP tunnel methods. If the EAP tunnel method terminates on the authenticator, the channel bindings can easily be defeated by the authenticator. While that's true, nobody terminates the EAP tunnel method on the authenticator today. In the EAP model, the authenticator is not trusted so terminating the EAP tunnel method on the authenticator is a bad idea for many reasons. For example, the authenticator would then have the ability to bypass protected result indications and to bypass all the cryptographic protections provided by the tunnel. Sometimes there is value in having the inner and outer methods terminate on different servers but both servers must be trusted. The authenticator is not. So there is no big security hole here, unless you have already opened an enormous security hole. It's ironic that this document which attempts to close vulnerabilities caused by malicious authenticators ends up subtly suggesting that people open a much larger vulnerability! I would recommend deleting the end of this paragraph, starting with the sentence that starts "Even when cryptographic binding". If you choose to keep this strange text, I suggest that you at least note that terminating an EAP tunnel method on the authenticator is unusual. For example, you could add a parenthetical comment like "(rare)" after the clause "if the outer method tunnel terminates on the authenticator". Non-Substantive Comments ------------------------ In the first paragraph of section 3, an extraneous numeral 3 was somehow added to the end of the second sentence. T. Charles Clancy's address in the Authors' Addresses section now reads: T. Charles Clancy Virginia Tech Virginia Tech Arlington, VA 22203 USA The duplication of Virginia Tech should be removed from this address. I appreciate the hard work of the document editors to address my many earlier comments. I hope that these new comments will also be useful. Thanks, Steve