IETF Logo Mail Archive

Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03

"Black, David" <david.black@emc.com> Tue, 18 June 2013 19:35 UTC

Return-Path: <david.black@emc.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74DA421E80C1; Tue, 18 Jun 2013 12:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwUFxhG5gcMO; Tue, 18 Jun 2013 12:35:21 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 5A18B21E80C0; Tue, 18 Jun 2013 12:35:17 -0700 (PDT)
Received: from hop04-l1d11-si04.isus.emc.com (HOP04-L1D11-SI04.isus.emc.com [10.254.111.24]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r5IJZGCe028823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Jun 2013 15:35:16 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si04.isus.emc.com (RSA Interceptor); Tue, 18 Jun 2013 15:34:57 -0400
Received: from mxhub26.corp.emc.com (mxhub26.corp.emc.com [10.254.110.182]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r5IJYhuw023324; Tue, 18 Jun 2013 15:34:55 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub26.corp.emc.com ([10.254.110.182]) with mapi; Tue, 18 Jun 2013 15:34:45 -0400
From: "Black, David" <david.black@emc.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Date: Tue, 18 Jun 2013 15:34:44 -0400
Thread-Topic: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
Thread-Index: Ac5rzQ3h5Vr98eb9RParuraCHgwUcgAYb7oMABB0QQAAClxl4P//t2GAgAA80uA=
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71298265300@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com> <tsl38sfbiyd.fsf@mit.edu> <A95B4818FD85874D8F16607F1AC7C628CF9E35@xmb-rcd-x09.cisco.com> <8D3D17ACE214DC429325B2B98F3AE712982652A5@MX15A.corp.emc.com> <A95B4818FD85874D8F16607F1AC7C628CFA26E@xmb-rcd-x09.cisco.com>
In-Reply-To: <A95B4818FD85874D8F16607F1AC7C628CFA26E@xmb-rcd-x09.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: General Area Review Team <gen-art@ietf.org>, "abfab@ietf.org" <abfab@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 19:35:26 -0000

> [Joe] Good points, the text can be more specific:
> 
> "In environments where EAP is used for purposes other than network access
> authentication all EAP servers MUST enforce channel bindings.  For application
> authentication, the EAP server MUST require that the correct EAP lower-layer
> attribute be present in the channel binding data.   For network access
> authentication, the EAP server MUST require that if channel bindings are
> present they MUST contain the correct EAP lower-layer attribute.   All network
> access EAP peer implementations SHOULD use channel bindings including the EAP
> lower-layer attribute to explicitly identify the reason for authentication.
> Any new usage of EAP MUST use channel bindings including the EAP lower-layer
> attribute to prevent confusion with network access usage. "

This is looking good, modulo Sam's comment on EAP lower-layer vs. something
else that I'll leave to you and he to sort out.  I have a suggested rewrite,
mostly to clarify MUST vs. SHOULD requirements for support vs. usage, and
to reformat into a structured bullet list of requirements (this is not
intended to change any requirements from what you wrote):

"In environments where EAP is used for purposes other than network access
authentication:

	o All EAP servers and all application access EAP peers MUST
		support channel bindings.  All network access EAP peers
		SHOULD support channel bindings.

	o Channel binding MUST be used for all application authentication.
		The EAP server MUST require that the correct EAP lower-layer
		attribute be present in the channel binding data for
		application authentication.

	o Channel binding SHOULD be used for all network access authentication,
		and when channel binding data is present, the EAP server MUST
		require that it contain the correct EAP lower-layer attribute
		to explicitly identify the reason for authentication.

	o Any new usage of EAP MUST use channel bindings including the
		EAP lower-layer attribute to prevent confusion with network
		access usage."

Thanks,
--David


> -----Original Message-----
> From: Joseph Salowey (jsalowey) [mailto:jsalowey@cisco.com]
> Sent: Tuesday, June 18, 2013 1:47 PM
> To: Black, David
> Cc: stefan.winter@restena.lu; General Area Review Team; abfab@ietf.org;
> ietf@ietf.org
> Subject: Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
> 
> >>
> >> I think we could state this a bit better as something like:
> >>
> >> "In environments where EAP is used for applications authentication and network
> >> access authentication all EAP servers MUST understand channel bindings and
> >> require that application bindings MUST be present in application
> >> authentication and that application bindings MUST be absent in network
> >> authentication.   All network access EAP peer implementations SHOULD support
> >> channel binding to explicitly identify the reason for authentication.  Any new
> >> usage of EAP MUST support channel bindings to prevent confusion with network
> >> access usage. "
> >
> > That text is an improvement, and it's headed in the same direction as Sam's
> > comment - "application bindings MUST be present in application authentication"
> > is a "MUST use" requirement, not just a "MUST implement" requirement.
> >
> > OTOH, I'm not clear on what "application bindings" means, as that term's not
> > in the current draft.  Specifically, I'm a bit unclear on "application bindings
> > MUST be absent in network authentication" - does that mean that channel
> > binding must be absent, or that channel binding is optional, but if channel
> > binding is present, it MUST NOT be an "application binding", whatever that
> is?
> >
> 
> [Joe] Good points, the text can be more specific:
> 
> "In environments where EAP is used for purposes other than network access
> authentication all EAP servers MUST enforce channel bindings.  For application
> authentication, the EAP server MUST require that the correct EAP lower-layer
> attribute be present in the channel binding data.   For network access
> authentication, the EAP server MUST require that if channel bindings are
> present they MUST contain the correct EAP lower-layer attribute.   All network
> access EAP peer implementations SHOULD use channel bindings including the EAP
> lower-layer attribute to explicitly identify the reason for authentication.
> Any new usage of EAP MUST use channel bindings including the EAP lower-layer
> attribute to prevent confusion with network access usage. "
> 
> Does this help?
> 
> Thanks,
> 
> Joe
>

v2.23.0 | Report a Bug | By Email