https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-12.html#section-3.5.4
Implementations MUST NOT permit resumption for the inner EAP methods such as EAP-TLS. If the user or machine needs to be authenticated, it should use a full authentication method. If the user or machine needs to do resumption, it can perform a full authentication once, and then rely on the outer TLS session for resumption. 1. Are we talking about TLS-based inner methods resumptions only? That is not the only case. We can ‘save’ the result of MS-CHAP authentication for example and then skip the full authentication next time. Although the term ‘resumption’ might not be 100% correct here I’d like to understand what we are talking about in the RFC. 2. I think the paragraph is slightly contradictory. The first sentence says ‘MUST NOT’ and the last sentence concludes with <well, unless>. To the best of my knowledge inner method resumption is really desirable and widely used. Especially if are discussing all inner methods, not just TLS-based only. The idea of allowing resumption through the outer TEAP tunnel is also great. It is simple. The obvious caveat here is that will not be achievable in TLS 1.2 (if tickets are used) since we cannot easily bind the ticket and the result of the inner authentication. But we could sacrifice that for the over whole simplicity… Moreover, I guess it is reasonable to assume most TEAP implementations will have TLS 1.3 in the stack anyway. Vadim
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
