On Thu, Jul 7, 2011 at 1:48 PM, Luke Howard <[email protected]> wrote: >> If we get a shared key out of the method then GSS-EAP should probably >> use it to construct its own protected success and failure messages >> (which should be sent in addition to, and in parallel with the EAP >> messages). > > AFAIK we only get a shared key on success. We do send unprotected error > messages at present.
It seems that with EAP-TLS you get a shared key (between the peer and server) before success or failure is determined. I guess that's because success/failure hinges on authorization decisions made after the TLS handshake succeeds. OTOH, if the TLS handshake fails, it fails. This probably all depends heavily on which method we're talking about, which is why I said "if" we get a shared key... > I need to check the code to see if we send protected error messages in the > post-EAP exchange. If we don't we probably should, this isn't too hard as > that exchange is already protected anyway. Perhaps it just works :-) :) Nico -- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
