Hi all,
I sat down last night to implement channel bindings in XSupplicant, and
had some questions about the functionality and intent of some pieces.
It is unclear to me if this discussion belongs here, or on the EMU list,
so I figured I would start here.
In Figure 1 of draft-ietf-emu-chbind-05, it seems that the exchange
results in the communications ending in the wrong direction. I am
used to seeing the final EAP packet prior to the authentication server
sending an Access-Accept headed from the EAP peer to the authentication
server. However, figure 1 and the included text indicate that once the
EAP peer sends the i1 information to the authentication server, the
server responds with a success or failure.
At this point, it seems that the EAP peer needs to respond to the
authentication server in order to complete the lock-step round trip. I
was unable to locate anything in the document that defines what this
response should be.
The other thing that I ran across is also in the CB_success/failure
message. The text and diagram indicate that in the CB_success/failure
message the authentication server can optionally send i1, i2, or other
information used in the validation check. What is unclear is how the
"other information" should be encoded. I would assume that the intent
is that it would be encoded as an AVP, however the document also states
that there may be information in use that isn't easily encoded in an
AVP. I suspect this is where the section "optionally includes all or
some of the information that was used in the check" comes in. However,
if not all of the information is provided back to the EAP peer, then the
peer won't be able to determine the exact reason for the failure. It
may even be possible that if the EAP peer evaluates the information
provided from the authentication server it would discover that it should
have passed, since the thing that caused the failure may not be
included. If the EAP peer can't use the information to give the user
at the keyboard some idea of why things failed, then does it really make
sense to have it in there?
|