Alan, On Thu, June 24, 2010 6:27 pm, Alan DeKok wrote: >> Alan, do you want to prohibit an "inner method" from terminating on a >> different entity than the "outer (tunnel) method"? If the answer is yes >> then I have no further questions. If the answer is no then I'd like to >> know how you intend on keeping the contents of that "inner method" away >> from the prying eyes of these proxy attackers? > > The proposal to terminate TLS on the visited network *requires* that > the users credentials are exposed all the way down the proxy chain.
Wrong, it "allows the user credentials to be exposed", depending on the EAP method. > The proposal to terminate TLS on the home network *permits* the home > system to do what it wants with the user credentials. > > If you can't see a difference between the two scenarios, then there is > nothing more to discuss. I understand the difference (obviously a bit better than you do). And I didn't ask you to list the differences. You said that the former "fails the privacy requirements of any TLS-based EAP method." So I asked you a simple question. Let me rephrase it for you in the hope you will answer it: how do you propose to prevent this REQUIREMENT from not being met? Dan. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
