Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
"Black, David" <david.black@emc.com> Tue, 18 June 2013 19:35 UTC
Return-Path: <david.black@emc.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74DA421E80C1; Tue, 18 Jun 2013 12:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwUFxhG5gcMO; Tue, 18 Jun 2013 12:35:21 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 5A18B21E80C0; Tue, 18 Jun 2013 12:35:17 -0700 (PDT)
Received: from hop04-l1d11-si04.isus.emc.com (HOP04-L1D11-SI04.isus.emc.com [10.254.111.24]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r5IJZGCe028823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Jun 2013 15:35:16 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si04.isus.emc.com (RSA Interceptor); Tue, 18 Jun 2013 15:34:57 -0400
Received: from mxhub26.corp.emc.com (mxhub26.corp.emc.com [10.254.110.182]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r5IJYhuw023324; Tue, 18 Jun 2013 15:34:55 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub26.corp.emc.com ([10.254.110.182]) with mapi; Tue, 18 Jun 2013 15:34:45 -0400
From: "Black, David" <david.black@emc.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Date: Tue, 18 Jun 2013 15:34:44 -0400
Thread-Topic: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
Thread-Index: Ac5rzQ3h5Vr98eb9RParuraCHgwUcgAYb7oMABB0QQAAClxl4P//t2GAgAA80uA=
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71298265300@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com> <tsl38sfbiyd.fsf@mit.edu> <A95B4818FD85874D8F16607F1AC7C628CF9E35@xmb-rcd-x09.cisco.com> <8D3D17ACE214DC429325B2B98F3AE712982652A5@MX15A.corp.emc.com> <A95B4818FD85874D8F16607F1AC7C628CFA26E@xmb-rcd-x09.cisco.com>
In-Reply-To: <A95B4818FD85874D8F16607F1AC7C628CFA26E@xmb-rcd-x09.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: General Area Review Team <gen-art@ietf.org>, "abfab@ietf.org" <abfab@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 19:35:26 -0000
> [Joe] Good points, the text can be more specific: > > "In environments where EAP is used for purposes other than network access > authentication all EAP servers MUST enforce channel bindings. For application > authentication, the EAP server MUST require that the correct EAP lower-layer > attribute be present in the channel binding data. For network access > authentication, the EAP server MUST require that if channel bindings are > present they MUST contain the correct EAP lower-layer attribute. All network > access EAP peer implementations SHOULD use channel bindings including the EAP > lower-layer attribute to explicitly identify the reason for authentication. > Any new usage of EAP MUST use channel bindings including the EAP lower-layer > attribute to prevent confusion with network access usage. " This is looking good, modulo Sam's comment on EAP lower-layer vs. something else that I'll leave to you and he to sort out. I have a suggested rewrite, mostly to clarify MUST vs. SHOULD requirements for support vs. usage, and to reformat into a structured bullet list of requirements (this is not intended to change any requirements from what you wrote): "In environments where EAP is used for purposes other than network access authentication: o All EAP servers and all application access EAP peers MUST support channel bindings. All network access EAP peers SHOULD support channel bindings. o Channel binding MUST be used for all application authentication. The EAP server MUST require that the correct EAP lower-layer attribute be present in the channel binding data for application authentication. o Channel binding SHOULD be used for all network access authentication, and when channel binding data is present, the EAP server MUST require that it contain the correct EAP lower-layer attribute to explicitly identify the reason for authentication. o Any new usage of EAP MUST use channel bindings including the EAP lower-layer attribute to prevent confusion with network access usage." Thanks, --David > -----Original Message----- > From: Joseph Salowey (jsalowey) [mailto:jsalowey@cisco.com] > Sent: Tuesday, June 18, 2013 1:47 PM > To: Black, David > Cc: stefan.winter@restena.lu; General Area Review Team; abfab@ietf.org; > ietf@ietf.org > Subject: Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03 > > >> > >> I think we could state this a bit better as something like: > >> > >> "In environments where EAP is used for applications authentication and network > >> access authentication all EAP servers MUST understand channel bindings and > >> require that application bindings MUST be present in application > >> authentication and that application bindings MUST be absent in network > >> authentication. All network access EAP peer implementations SHOULD support > >> channel binding to explicitly identify the reason for authentication. Any new > >> usage of EAP MUST support channel bindings to prevent confusion with network > >> access usage. " > > > > That text is an improvement, and it's headed in the same direction as Sam's > > comment - "application bindings MUST be present in application authentication" > > is a "MUST use" requirement, not just a "MUST implement" requirement. > > > > OTOH, I'm not clear on what "application bindings" means, as that term's not > > in the current draft. Specifically, I'm a bit unclear on "application bindings > > MUST be absent in network authentication" - does that mean that channel > > binding must be absent, or that channel binding is optional, but if channel > > binding is present, it MUST NOT be an "application binding", whatever that > is? > > > > [Joe] Good points, the text can be more specific: > > "In environments where EAP is used for purposes other than network access > authentication all EAP servers MUST enforce channel bindings. For application > authentication, the EAP server MUST require that the correct EAP lower-layer > attribute be present in the channel binding data. For network access > authentication, the EAP server MUST require that if channel bindings are > present they MUST contain the correct EAP lower-layer attribute. All network > access EAP peer implementations SHOULD use channel bindings including the EAP > lower-layer attribute to explicitly identify the reason for authentication. > Any new usage of EAP MUST use channel bindings including the EAP lower-layer > attribute to prevent confusion with network access usage. " > > Does this help? > > Thanks, > > Joe >
- [abfab] Gen-ART review of draft-ietf-abfab-eapapp… Black, David
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Sam Hartman
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Black, David
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Joseph Salowey (jsalowey)
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Black, David
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Joseph Salowey (jsalowey)
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Sam Hartman
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Black, David
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Joseph Salowey (jsalowey)
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Joseph Salowey (jsalowey)
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Sam Hartman
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Black, David
- [abfab] Gen-ART review of draft-ietf-abfab-eapapp… Black, David
- Re: [abfab] Gen-ART review of draft-ietf-abfab-ea… Black, David
- Re: [abfab] [Gen-art] Gen-ART review of draft-iet… Jari Arkko