Re: [saag] Additions to RFC 3631?

[Steven Bellovin <smb@cs.columbia.edu>]

On May 21, 2012, at 2:07 02PM, Nico Williams wrote:

> On Mon, May 21, 2012 at 12:59 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
>> On May 21, 2012, at 1:06 49PM, Nico Williams wrote:
>>> On Mon, May 21, 2012 at 11:42 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:>>> +1 to adding EAP as a mechanism.
>>>> 
>>>> +/-0 to adding channel bindings, given how few people understand them.
>>> 
>>> EIther it's important/useful or not.  If it is then having some text
>>> in this RFC would help those people who don't understand CB.
>>> 
>> I agree.
> 
> But is it important/useful?
> 
> Given that MSFT has implemented and deployed it I think it's at least useful.
> 
> I do think CB is important -- certainly as a protocol design/analysis
> tool.  I also think it should be used more often.  You'd think I would
> think that, given that I'm the author of RFC5056, but I like to think
> that I'm objective enough on this topic...  enough so that I can tell
> you what the biggest problem with CB is: the fact that it's one more
> thing that the application developer has to know about and do.  It'd
> be nice if more of the protocol stack up to and including
> application-layer authentication (where there is the option to do
> that) were abstracted.  Still, CB is relatively simple: extract the CB
> from the channel, feed it to authentication.


Thinking further, I'm not sure how much text should be in 3631bis, as opposed
to just having a pointer to 5056.  But that's a minor point.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb