ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Problem with draft-sheffer-emu-eap-eke

2010-11-17 06:01:59
from [Glen Zorn] [Permanent Link] 
Looks OK to me.

Hope this helps.

 ~gwz



-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of
Yaron Sheffer
Sent: Wednesday, November 17, 2010 6:14 PM
To: ietf(_at_)ietf(_dot_)org
Subject: Re: Problem with draft-sheffer-emu-eap-eke

Expanding on my previous response, I suggest to resolve Bernard's
concern by adding the following text:

5.6 EAP Key Generation

EAP-EKE can be used for EAP key generation, as defined by [RFC 5247].
When used in this manner, the values required to establish the key
hierarchy are defined as follows:

- Peer-Id is the EAP-EKE ID_P value.
- Server-Id is the EAP-EKE ID_S value.
- Session-Id is the concatenated Type | Nonce_P | Nonce_S, where Type is
the method type defined for EAP-EKE in [Sec. 4.1], a single octet.

Thanks,
      Yaron

On 11/16/2010 05:49 PM, Yaron Sheffer wrote:

Hi Bernard,

Thanks for reviewing our document.

In fact both ID_S and ID_P are authenticated in EAP-EKE, not just
asserted, so they can be used as RFC 5247 identities. See for example
http://tools.ietf.org/html/draft-sheffer-emu-eap-eke-09#section-5.1.

A more detailed response will follow once we've hashed out the details
of Session-ID.

Thanks,
Yaron


Date: Mon, 15 Nov 2010 20:43:46 -0800
From: Bernard Aboba<bernard_aboba(_at_)hotmail(_dot_)com>
Subject: Problem with draft-sheffer-emu-eap-eke
To:<iesg(_at_)ietf(_dot_)org>,<ietf(_at_)ietf(_dot_)org>
Message-ID:<BLU104-W201F08439317108F9749193370(_at_)phx(_dot_)gbl>
Content-Type: text/plain; charset="iso-8859-1"


I just took a look at the EAP EKE document recently approved by the
IESG for publication as an Informational RFC:
http://tools.ietf.org/html/draft-sheffer-emu-eap-eke-09

The document does not define the following parameters required by RFC
5247:

1. Peer-Id
2. Server-Id
3. Session-Id

In particular, the omission of the Session-Id is a significant
problem, since this is required for EAP methods
to be usable within IEEE 802.1X-2010.

My suggestion is that ID_P be designated as the Peer-Id. Since the
Server identity is not authenticated (just asserted), it is not clear
to me whether ID_S is suitable for use as the Server-Id.

My suggestion is that the Session-Id be defined as follows:
Session-Id = Type-Code || Nonce_P || Nonce_S



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Problem with draft-sheffer-emu-eap-eke, Yaron Sheffer
Next by Date:  Re: IESG position on NAT traversal and IPv4/IPv6, Masataka Ohta
Previous by Thread:  Re: Problem with draft-sheffer-emu-eap-eke, Yaron Sheffer
Next by Thread:  DNSSEC & legal effect, Josh Howlett
Indexes:  [Date] [Thread] [Top] [All Lists]