On Jul 4, 2022, at 4:04 PM, Mohit Sethi <mo...@iki.fi> wrote: > You don't have to use resumption. You just need to send NewSessionTicket as a > protected success indication.
That's reasonable. > I thought the reason for for forbidding use of client certificates without > phase 2 authentication was lack of protected success indication. Perhaps > there is some other reason? This is why I wrote in my original comment: "I > think it would make sense to add an explanation on why this was done? ". The draft explains why that behavior is forbidden. If you're doing client certs without phase 2 authentication, that's just EAP-TLS. There's no reason to have multiple methods of implementing EAP-TLS. People should just use EAP-TLS. > One-time password was only an example. Perhaps a wrong one. I just wanted to > highlight that we were forbidding TTLS/PEAP and now TEAP deployments from > using client certificates without phase 2 authentication. But there can be > deployments where some peers use client certificates without phase 2 > authentication while other peers use client certificates with additional > phase 2 authentication (password, etc.). I see no benefit to using client certificates without phase 2 authentication. Why not just use EAP-TLS? I'd like to understand the reasons why someone would use TTLS / PEAP / TEAP like that. Do you have use-cases where this behavior is different from EAP-TLS, and better than EAP-TLS? > The draft currently says that inner identity should not have a realm. > However, the example above, and many other guidance documents I have seen do > use a realm in the inner identity. Section 3.1 mentions this explicitly: However, if the inner identity does contain an NAI realm, the inner realm SHOULD be either an exact copy of the outer realm, or be a subdomain of the outer realm. The inner realm SHOULD NOT be from a different realm than the outer realm. There are very few reasons for those realms to be different. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
