On Feb 5, 2019, at 11:16 AM, Mohit Sethi M <mohit.m.se...@ericsson.com> wrote: > > Peer/Client authentication in stage 1 of EAP-TTLS is optional. So there > is probably no difference if you do EAP-TLS first and then possibly use > EAP-TTLS resumption.
OK. > But the other way, EAP-TTLS/EAP-PEAP first and then > EAP-TLS resumption is not the okay. That is because you can't know how > and when the client was authenticated with EAP-TTLS/EAP-PEAP. Presumably it's the same authentication server for all authentication methods. Which means that the authentication server is already allowing session resumption. So by your argument, allowing session resumption for TTLS may be OK. Allowing session resumption for EAP-TLS is not OK, because octet 5 is different, and authentication with EAP-TLS is different than authentication with TTLS. I think we're going in a loop here. I just don't see how there's any quantitative difference, and your examples aren't really convincing me. > I think we are in agreement that there is not good reason to allow such > cross method resumption and that this should be forbidden as such. No that is *not* what I said. I don't see an issue with cross-method session resumption. I'm happy to allow it. I was pretty clear on that. What I'm saying is that if there's no consensus that it should be allowed, then I'm fine with forbidding it. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
