On Jan 5, 2021, at 11:05 AM, Michael Richardson <mcr+i...@sandelman.ca> wrote: > > Alan DeKok <al...@deployingradius.com> wrote: >> Therefore, we need an explicit signal to the EAP-TLS layer that the > > Do you mean, "to the EAP layer"? > s/EAP-TLS layer/EAP/ ??
If the EAP-TLS layer allows TLS negotiation OR EAP-Success, then it's possible to bypass TLS by spoofing an EAP-Success. So the EAP-TLS layer needs to have a way to say "we're done, EAP-Success is now OK". It's really nested: EAP ( EAP-TLS ( TLS ) ) We can't finish EAP until we know that EAP-TLS is finished. We can't finish EAP-TLS until we know that TLS is finished. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
