On Thu, Jul 25, 2019 at 10:49:40AM +0000, John Mattsson wrote: > Question: How will the use of Application data with TLSPlaintext.fragment = > 0x00 work with EAP-TTLS, PEAP, and TEAP when they start using TLS 1.3? I > assume they will need to send the same 0x00 to commit to not sending any more > handshake messages as well as using application data for other purposes. I do > not know exactly how the TLSPlaintext fragments look like in EAP-TTLS, PEAP, > and TEAP. The TLSPlaintext fragment for commit need to be chosen so that the > string does not collide with any other strings used.
I don't see why TTLS, PEAP, or TEAP would need to use this specific 0x00 indication for this since they end up using the tunnel for Phase 2 (or at least protected result indication if Phase 2 authentication is skipped) and that can be implicitly used for the same purpose. EAP-TLS needs this workaround because without it, the NewSessionTicket message changes in TLS 1.3 are quite inconvenient for EAP. With TTLS and PEAP, it would seem fine to send out the NewSessionTicket before concluding Phase 2. With TEAP, there is some more discussion about use of the NewSessionTicket option for provisioning the new PAC (which seem a bit inconvenient for some use cases IMHO, but nevertheless, I don't see this needing any additional mechanism for indicating when the NewSessionTicket is not going to be showing up). -- Jouni Malinen PGP id EFC895FA _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
