On Sun, 20 Aug 2023 at 12:09, Alexander Clouter <alex+i...@coremem.com> wrote:
> On Thu, 17 Aug 2023, at 23:33, Alan DeKok wrote: > >> If I did run EAP-TLS as an Inner method (whether once or twice), could > I use resumption? > > > > Uh... why didn't anyone mention this before? TEAP is a near-endless > > source of surprises and corner cases. > > In fairness I think you could have the same problem with TTLS, PEAP and > FAST too. > > TTLS I suppose can be read as this should not be allowed in RFC5281 > section 7.5. MS-PEAP is mentions resumption of Phase 1, but inner methods > look to just be handwaved to inner TLV methods so I suppose "anything goes". > > Shame it missed the boat, would have been nice to slip this into RFC9427 > section 4 which currently does not deny it. > When the outer TLS-based EAP is processed by a different EAP server than the inner EAP-TLS, then the why inner EAP-TLS resumption shouldn't be simply a matter of the EAP peer and the inner EAP server? In this case the outer EAP server wouldn't even know if the inner EAP-TLS does resumption or not, when the inner EAP is proxied through to a next hop server. I'm not saying this can't be made simpler by banning inner TLS resumption. I'm just wondering why this is an issue. It could even complicate implementations when an EAP method in some cases is allowed to do TLS resumption and in some other cases it's forbidden. A simpler way to do this is a reminder that EAP servers can turn off resumption in the part of the configuration that processes inner EAP-TLS. -- Heikki Vatiainen h...@radiatorsoftware.com
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
