Hi, During Last Call on draft-harkins-emu-eap-pwd a comment was made that this draft lacked the ability to do a protected exchange of TLVs the way EAP-GPSK does. Which got me to wondering.
Is it the intention of the community that each individual EAP method will have to define ciphers to negotiate, how to negotiate a cipher, how to get a key for the cipher, how to use the cipher to protect a new payload that contains arbitrary TLVs? I personally think that's a bad idea. Each EAP method would have to basically duplicate a whole bunch of capabilities. Would it not be better to do this with two new EAP codes to pass TLVs in each direction and the have a single definition of the cipher and a single definition of how to get the key and a single definition of how to use the cipher and key to protect packets with these new EAP codes? That leaves EAP methods to do authentication and generation of the MSK and EMSK, period. The (optional) exchange of packets with these new EAP codes would happen after the EAP method has finished sending requests and responses and before "success" is declared. Disregarding the EMU charter for a minute, would this be a better architectural solution? regards, Dan. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
