Hi Bernard,
Thanks for reviewing our document.
In fact both ID_S and ID_P are authenticated in EAP-EKE, not just
asserted, so they can be used as RFC 5247 identities. See for example
http://tools.ietf.org/html/draft-sheffer-emu-eap-eke-09#section-5.1.
A more detailed response will follow once we've hashed out the details
of Session-ID.
Thanks,
Yaron
Date: Mon, 15 Nov 2010 20:43:46 -0800
From: Bernard Aboba<bernard_aboba(_at_)hotmail(_dot_)com>
Subject: Problem with draft-sheffer-emu-eap-eke
To:<iesg(_at_)ietf(_dot_)org>,<ietf(_at_)ietf(_dot_)org>
Message-ID:<BLU104-W201F08439317108F9749193370(_at_)phx(_dot_)gbl>
Content-Type: text/plain; charset="iso-8859-1"
I just took a look at the EAP EKE document recently approved by the IESG for
publication as an Informational RFC:
http://tools.ietf.org/html/draft-sheffer-emu-eap-eke-09
The document does not define the following parameters required by RFC 5247:
1. Peer-Id
2. Server-Id
3. Session-Id
In particular, the omission of the Session-Id is a significant problem, since
this is required for EAP methods
to be usable within IEEE 802.1X-2010.
My suggestion is that ID_P be designated as the Peer-Id. Since the Server
identity is not authenticated (just asserted), it is not clear to me whether
ID_S is suitable for use as the Server-Id.
My suggestion is that the Session-Id be defined as follows:
Session-Id = Type-Code || Nonce_P || Nonce_S
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf