On Feb 7, 2019, at 4:26 AM, Mohit Sethi M <mohit.m.se...@ericsson.com> wrote: > > Hi Alan, John, > ... > For me, an EAP-TLS server should not only refuse resumption if a client > was not authenticated, it should also refuse resumption if the client > was authenticated with other methods than certificates (such as passwords). > > Do you agree?
You already asked that question, and my answer was "no". Asking again won't change that answer. If the server decides that a particular user is authenticated, the server can choose to allow session resumption. I fail to see how changing octet 5 of the EAP packet changes any of the security properties. And the explanations so far don't address any of my questions about this topic. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
