On Sun, 20 Aug 2023 at 15:58, Alan DeKok <al...@deployingradius.com> wrote:
> On Aug 20, 2023, at 5:15 AM, Alexander Clouter <alex+i...@coremem.com> > wrote: > > > > On Fri, 18 Aug 2023, at 01:01, Michael Richardson wrote: > >> I'm not sure it's sane to use EAP-TLS for Inner method myself. > > > > If you mean in the general sense, I can imagine placing the user > credential on a hardware key whilst the machine credential is either a > regular software keychain or even more exotic and tied to the TPM. > > Or both user and machine do EAP-TLS. Only one certificate can be sent > over TLS in Phase 1. The other has to be sent in EAP-TLS in Phase 2. > > But I do agree... TLS inside of TLS just seems bad. > I thought the justification for inner EAP-TLS with different tunnelling EAP methods, such as PEAP, is hiding the end user's identity. With TLS 1.3 this is no longer a problem, but with TLS 1.2 client certificate is not encrypted. -- Heikki Vatiainen h...@radiatorsoftware.com
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
