On Jan 27, 2023, at 7:56 AM, Heikki Vatiainen <h...@radiatorsoftware.com> wrote: > My understanding is that the "housekeeping" functionality, or any > other variation of multi-round inner password authentication, means > that Basic-Password-Auth-Req <--> Basic-Password-Auth-Resp exchange > is done multiple times before a single inner password authentication > method is considered completed and an Intermediate-Result TLV and > Crypto-Binding TLV are needed. I'll need to check the previous > discussion about filler Intermediate-Result and CB.
The discussion was that every inner authentication required an Intermediate-Result-TLV, and a Crypto-Binding TLV. > When strictly reading the RFC and draft, it doesn't talk about > multi-round inner password authentication, but I guess this is > supported? It mentions multiple rounds of password authentication. I'll add text on permitting use-cases like "password + OTP" as separate rounds. It may be worth noting that multiple rounds of EAP are supported for different Identity-Types, i.e. machine and then user. I don't think we want to allow multiple EAP authentications for a particular user. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
