pedantically, because I think that there is much confusion here. Let me go back to the whole sentence:
Alan> Therefore, we need an explicit signal to the EAP-TLS layer that the
Alan> EAP-TLS method has finished. Discussion on the list went back and
Alan> forth between CloseNotify and sending one octet of application data.
Alan> Implementations have done both. The conclusion was that the one octet
Alan> of application data was slightly easier to implement.
Alan DeKok <al...@deployingradius.com> wrote:
>> Alan DeKok <al...@deployingradius.com> wrote:
>>> Therefore, we need an explicit signal to the EAP-TLS layer that the
>>
>> Do you mean, "to the EAP layer"?
>> s/EAP-TLS layer/EAP/ ??
> If the EAP-TLS layer allows TLS negotiation OR EAP-Success, then it's
> possible to bypass TLS by spoofing an EAP-Success. So the EAP-TLS
> layer needs to have a way to say "we're done, EAP-Success is now OK".
> It's really nested: EAP ( EAP-TLS ( TLS ) )
Okay, so I think that we need:
1) signal from the TLS layer to EAP-TLS layer
2) signal from the EAP-TLS layer to the EAP layer
But, you said, above:
"to the EAP-TLS layer that the EAP-TLS method has finished"
so I still think that there might be a typo :-)
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
