> I know abfab is the lower-layer, but I thought the discussion was related > with the possible need to protect the abfab lower-layer BEFORE the EAP > authentication.
You can protect parts of the conversation that happen before the EAP authentication, you just can't verify them until afterwards. There was a separate question in the meeting about protecting application data that happens before EAP authentication (such as SASL mechanism negotiation), I suggested that you could use GSS channel bindings to protect this. Or you could restart the negotiation within an integrity protected channel. -- Luke _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
